diff --git a/master-local/_definitions.json b/master-local/_definitions.json index 1e23568e88836ddd945c01a812ddd4a5a4a36f19..46d37daa98de9d5a70bb96d28a60bc994c4167cb 100644 --- a/master-local/_definitions.json +++ b/master-local/_definitions.json @@ -890,40 +890,24 @@ }, "type": "object" }, - "io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", + "io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", "type": "string" } }, - "required": [ - "key", - "valueExpression" - ], "type": "object" }, - "io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning": { - "description": "ExpressionWarning is a warning information that targets a specific expression.", + "io.k8s.api.admissionregistration.v1alpha1.JSONPatch": { + "description": "JSONPatch defines a JSON Patch.", "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": "string" - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", "type": "string" } }, - "required": [ - "fieldRef", - "warning" - ], "type": "object" }, "io.k8s.api.admissionregistration.v1alpha1.MatchCondition": { @@ -978,111 +962,8 @@ "type": "object", "x-kubernetes-map-type": "atomic" }, - "io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations": { - "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", - "properties": { - "apiGroups": { - "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "apiVersions": { - "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "operations": { - "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resourceNames": { - "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resources": { - "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "scope": { - "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", - "type": "string" - } - }, - "type": "object", - "x-kubernetes-map-type": "atomic" - }, - "io.k8s.api.admissionregistration.v1alpha1.ParamKind": { - "description": "ParamKind is a tuple of Group Kind and Version.", - "properties": { - "apiVersion": { - "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", - "type": "string" - }, - "kind": { - "description": "Kind is the API kind the resources belong to. Required.", - "type": "string" - } - }, - "type": "object", - "x-kubernetes-map-type": "atomic" - }, - "io.k8s.api.admissionregistration.v1alpha1.ParamRef": { - "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", - "properties": { - "name": { - "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", - "type": "string" - }, - "namespace": { - "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", - "type": "string" - }, - "parameterNotFoundAction": { - "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", - "type": "string" - }, - "selector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset." - } - }, - "type": "object", - "x-kubernetes-map-type": "atomic" - }, - "io.k8s.api.admissionregistration.v1alpha1.TypeChecking": { - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object" - }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy": { - "description": "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy": { + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1092,7 +973,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicy" + "MutatingAdmissionPolicy" ] }, "metadata": { @@ -1100,25 +981,21 @@ "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, "spec": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec", - "description": "Specification of the desired behavior of the ValidatingAdmissionPolicy." - }, - "status": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus", - "description": "The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only." + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicy." } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicy", + "kind": "MutatingAdmissionPolicy", "version": "v1alpha1" } ] }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding": { - "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding": { + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1128,7 +1005,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicyBinding" + "MutatingAdmissionPolicyBinding" ] }, "metadata": { @@ -1136,21 +1013,21 @@ "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, "spec": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec", - "description": "Specification of the desired behavior of the ValidatingAdmissionPolicyBinding." + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicyBinding." } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBinding", + "kind": "MutatingAdmissionPolicyBinding", "version": "v1alpha1" } ] }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingList": { - "description": "ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingList": { + "description": "MutatingAdmissionPolicyBindingList is a list of MutatingAdmissionPolicyBinding.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1159,7 +1036,7 @@ "items": { "description": "List of PolicyBinding.", "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding" + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding" }, "type": "array" }, @@ -1167,7 +1044,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicyBindingList" + "MutatingAdmissionPolicyBindingList" ] }, "metadata": { @@ -1182,39 +1059,31 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBindingList", + "kind": "MutatingAdmissionPolicyBindingList", "version": "v1alpha1" } ] }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec": { - "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec": { + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", "properties": { "matchResources": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", - "description": "MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required." + "description": "matchResources limits what resources match this binding and may be mutated by it. Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and matchConditions before the resource may be mutated. When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints and matchConditions must match for the resource to be mutated. Additionally, matchResources.resourceRules are optional and do not constraint matching when unset. Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT." }, "paramRef": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef", - "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." + "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." }, "policyName": { - "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", "type": "string" - }, - "validationActions": { - "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" } }, "type": "object" }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyList": { - "description": "ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyList": { + "description": "MutatingAdmissionPolicyList is a list of MutatingAdmissionPolicy.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1223,7 +1092,7 @@ "items": { "description": "List of ValidatingAdmissionPolicy.", "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy" + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy" }, "type": "array" }, @@ -1231,7 +1100,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicyList" + "MutatingAdmissionPolicyList" ] }, "metadata": { @@ -1246,28 +1115,20 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyList", + "kind": "MutatingAdmissionPolicyList", "version": "v1alpha1" } ] }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec": { - "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec": { + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", "properties": { - "auditAnnotations": { - "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", - "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, "failurePolicy": { - "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", "type": "string" }, "matchConditions": { - "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", "items": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" }, @@ -1281,114 +1142,172 @@ }, "matchConstraints": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", - "description": "MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required." - }, - "paramKind": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", - "description": "ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null." + "description": "matchConstraints specifies what resources this policy is designed to validate. The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT. Required." }, - "validations": { - "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Validation" + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Mutation" }, "type": "array", "x-kubernetes-list-type": "atomic" }, + "paramKind": { + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", + "description": "paramKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null." + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": "string" + }, "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", "items": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" }, "type": "array", - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object" - }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus": { - "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.", - "properties": { - "conditions": { - "description": "The conditions represent the latest available observations of a policy's current state.", - "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "The generation observed by the controller.", - "format": "int64", - "type": "integer" - }, - "typeChecking": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.TypeChecking", - "description": "The results of type checking for each expression. Presence of this field indicates the completion of the type checking." + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.admissionregistration.v1alpha1.Validation": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", + "io.k8s.api.admissionregistration.v1alpha1.Mutation": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": "string" + "applyConfiguration": { + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration", + "description": "applyConfiguration defines the desired configuration values of an object. The configuration is applied to the admission object using [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff). A CEL expression is used to create apply configuration." }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": "string" - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": "string" - } - }, - "required": [ - "expression" - ], - "type": "object" - }, - "io.k8s.api.admissionregistration.v1alpha1.Variable": { - "description": "Variable is the definition of a variable that is used for composition.", - "properties": { - "expression": { - "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", - "type": "string" + "jsonPatch": { + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.JSONPatch", + "description": "jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object. A CEL expression is used to create the JSON patch." }, - "name": { - "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", "type": "string" } }, "required": [ - "name", - "expression" + "patchType" ], "type": "object" }, - "io.k8s.api.admissionregistration.v1beta1.AuditAnnotation": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", + "io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": "string" + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1alpha1.ParamKind": { + "description": "ParamKind is a tuple of Group Kind and Version.", + "properties": { + "apiVersion": { + "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", + "type": "string" + }, + "kind": { + "description": "Kind is the API kind the resources belong to. Required.", + "type": "string" + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1alpha1.ParamRef": { + "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", + "properties": { + "name": { + "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", + "type": "string" + }, + "namespace": { + "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", + "type": "string" + }, + "parameterNotFoundAction": { + "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", + "type": "string" + }, + "selector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset." + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1alpha1.Variable": { + "description": "Variable is the definition of a variable that is used for composition.", + "properties": { + "expression": { + "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", + "type": "string" + }, + "name": { + "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": "object" + }, + "io.k8s.api.admissionregistration.v1beta1.AuditAnnotation": { + "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", + "properties": { + "key": { + "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", + "type": "string" + }, + "valueExpression": { + "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", "type": "string" } }, @@ -3327,48 +3246,6 @@ }, "type": "object" }, - "io.k8s.api.authentication.v1alpha1.SelfSubjectReview": { - "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "SelfSubjectReview" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "status": { - "$ref": "#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus", - "description": "Status is filled in by the server with the user attributes." - } - }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "authentication.k8s.io", - "kind": "SelfSubjectReview", - "version": "v1alpha1" - } - ] - }, - "io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus": { - "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", - "properties": { - "userInfo": { - "$ref": "#/definitions/io.k8s.api.authentication.v1.UserInfo", - "description": "User attributes of the user making this request." - } - }, - "type": "object" - }, "io.k8s.api.authentication.v1beta1.SelfSubjectReview": { "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", "properties": { @@ -4451,7 +4328,7 @@ "properties": { "containerResource": { "$ref": "#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricSource", - "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag." + "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "external": { "$ref": "#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricSource", @@ -4470,7 +4347,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, @@ -4503,7 +4380,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, @@ -5411,96 +5288,6 @@ }, "type": "object" }, - "io.k8s.api.certificates.v1alpha1.ClusterTrustBundle": { - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "metadata contains the object metadata." - }, - "spec": { - "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec", - "description": "spec contains the signer (if any) and trust anchors." - } - }, - "required": [ - "spec" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ] - }, - "io.k8s.api.certificates.v1alpha1.ClusterTrustBundleList": { - "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items is a collection of ClusterTrustBundle objects", - "items": { - "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle" - }, - "type": "array" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterTrustBundleList" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "metadata contains the list metadata." - } - }, - "required": [ - "items" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundleList", - "version": "v1alpha1" - } - ] - }, - "io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec": { - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": "string" - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": "string" - } - }, - "required": [ - "trustBundle" - ], - "type": "object" - }, "io.k8s.api.coordination.v1.Lease": { "description": "Lease defines a lease concept.", "properties": { @@ -5920,7 +5707,7 @@ ] }, "io.k8s.api.core.v1.CSIPersistentVolumeSource": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "$ref": "#/definitions/io.k8s.api.core.v1.SecretReference", @@ -8287,7 +8074,7 @@ "x-kubernetes-map-type": "atomic" }, "io.k8s.api.core.v1.LocalVolumeSource": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", @@ -9357,15 +9144,15 @@ }, "awsElasticBlockStore": { "$ref": "#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureFilePersistentVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "capacity": { "additionalProperties": { @@ -9376,11 +9163,11 @@ }, "cephfs": { "$ref": "#/definitions/io.k8s.api.core.v1.CephFSPersistentVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "#/definitions/io.k8s.api.core.v1.CinderPersistentVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "claimRef": { "$ref": "#/definitions/io.k8s.api.core.v1.ObjectReference", @@ -9389,7 +9176,7 @@ }, "csi": { "$ref": "#/definitions/io.k8s.api.core.v1.CSIPersistentVolumeSource", - "description": "csi represents storage that is handled by an external CSI driver (Beta feature)." + "description": "csi represents storage that is handled by an external CSI driver." }, "fc": { "$ref": "#/definitions/io.k8s.api.core.v1.FCVolumeSource", @@ -9397,19 +9184,19 @@ }, "flexVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.FlexPersistentVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "glusterfs": { "$ref": "#/definitions/io.k8s.api.core.v1.GlusterfsPersistentVolumeSource", - "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -9445,23 +9232,23 @@ }, "photonPersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "quobyte": { "$ref": "#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "#/definitions/io.k8s.api.core.v1.RBDPersistentVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "#/definitions/io.k8s.api.core.v1.ScaleIOPersistentVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "storageClassName": { "description": "storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.", @@ -9469,7 +9256,7 @@ }, "storageos": { "$ref": "#/definitions/io.k8s.api.core.v1.StorageOSPersistentVolumeSource", - "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md" + "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. More info: https://examples.k8s.io/volumes/storageos/README.md" }, "volumeAttributesClassName": { "description": "Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process. This is a beta field and requires enabling VolumeAttributesClass feature (off by default).", @@ -9481,7 +9268,7 @@ }, "vsphereVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "type": "object" @@ -10207,7 +9994,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -10215,7 +10002,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -10237,7 +10024,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "$ref": "#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -12156,23 +11943,23 @@ "properties": { "awsElasticBlockStore": { "$ref": "#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "cephfs": { "$ref": "#/definitions/io.k8s.api.core.v1.CephFSVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "#/definitions/io.k8s.api.core.v1.CinderVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "configMap": { "$ref": "#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource", @@ -12180,7 +11967,7 @@ }, "csi": { "$ref": "#/definitions/io.k8s.api.core.v1.CSIVolumeSource", - "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature)." + "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers." }, "downwardAPI": { "$ref": "#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource", @@ -12200,23 +11987,23 @@ }, "flexVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.FlexVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "gitRepo": { "$ref": "#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource", - "description": "gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." + "description": "gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." }, "glusterfs": { "$ref": "#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource", - "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -12244,11 +12031,11 @@ }, "photonPersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "projected": { "$ref": "#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource", @@ -12256,15 +12043,15 @@ }, "quobyte": { "$ref": "#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "#/definitions/io.k8s.api.core.v1.RBDVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "secret": { "$ref": "#/definitions/io.k8s.api.core.v1.SecretVolumeSource", @@ -12272,11 +12059,11 @@ }, "storageos": { "$ref": "#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource", - "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes." + "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported." }, "vsphereVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "required": [ @@ -13436,38 +13223,69 @@ ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration": { - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", + "io.k8s.api.networking.v1.HTTPIngressPath": { + "description": "HTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.", "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": "integer" + "backend": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", + "description": "backend defines the referenced service endpoint to which the traffic will be forwarded to." }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": "integer" + "path": { + "description": "path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value \"Exact\" or \"Prefix\".", + "type": "string" + }, + "pathType": { + "description": "pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is\n done on a path element by element basis. A path element refers is the\n list of labels in the path split by the '/' separator. A request is a\n match for path p if every p is an element-wise prefix of p of the\n request path. Note that if the last element of the path is a substring\n of the last element in request path, it is not a match (e.g. /foo/bar\n matches /foo/bar/baz, but does not match /foo/barbaz).\n* ImplementationSpecific: Interpretation of the Path matching is up to\n the IngressClass. Implementations can treat this as a separate PathType\n or treat it identically to Prefix or Exact path types.\nImplementations are required to support all path types.", + "type": "string" } }, + "required": [ + "pathType", + "backend" + ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod": { - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", + "io.k8s.api.networking.v1.HTTPIngressRuleValue": { + "description": "HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.", "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": "string" + "paths": { + "description": "paths is a collection of paths that map requests to backends.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressPath" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ - "type" + "paths" ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchema": { - "description": "FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".", - "properties": { + "io.k8s.api.networking.v1.IPBlock": { + "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.", + "properties": { + "cidr": { + "description": "cidr is a string representing the IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"", + "type": "string" + }, + "except": { + "description": "except is a slice of CIDRs that should not be included within an IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the cidr range", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "cidr" + ], + "type": "object" + }, + "io.k8s.api.networking.v1.Ingress": { + "description": "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.", + "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" @@ -13476,68 +13294,88 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "FlowSchema" + "Ingress" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec", - "description": "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressSpec", + "description": "spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" }, "status": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus", - "description": "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressStatus", + "description": "status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchema", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "Ingress", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition": { - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", + "io.k8s.api.networking.v1.IngressBackend": { + "description": "IngressBackend describes all endpoints for a given service and port.", "properties": { - "lastTransitionTime": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", - "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." + "resource": { + "$ref": "#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference", + "description": "resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\"." }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", + "service": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressServiceBackend", + "description": "service references a service as a backend. This is a mutually exclusive setting with \"Resource\"." + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressClass": { + "description": "IngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": "string" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IngressClass" + ] }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": "string" + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": "string" + "spec": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassSpec", + "description": "spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "IngressClass", + "version": "v1" + } + ] }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaList": { - "description": "FlowSchemaList is a list of FlowSchema objects.", + "io.k8s.api.networking.v1.IngressClassList": { + "description": "IngressClassList is a collection of IngressClasses.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "`items` is a list of FlowSchemas.", + "description": "items is the list of IngressClasses.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClass" }, "type": "array" }, @@ -13545,12 +13383,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "FlowSchemaList" + "IngressClassList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata." } }, "required": [ @@ -13559,185 +13397,243 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchemaList", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "IngressClassList", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec": { - "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", + "io.k8s.api.networking.v1.IngressClassParametersReference": { + "description": "IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.", "properties": { - "distinguisherMethod": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod", - "description": "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string." + "apiGroup": { + "description": "apiGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.", + "type": "string" }, - "matchingPrecedence": { - "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", - "format": "int32", - "type": "integer" + "kind": { + "description": "kind is the type of resource being referenced.", + "type": "string" }, - "priorityLevelConfiguration": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference", - "description": "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required." + "name": { + "description": "name is the name of resource being referenced.", + "type": "string" }, - "rules": { - "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", - "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "namespace": { + "description": "namespace is the namespace of the resource being referenced. This field is required when scope is set to \"Namespace\" and must be unset when scope is set to \"Cluster\".", + "type": "string" + }, + "scope": { + "description": "scope represents if this refers to a cluster or namespace scoped resource. This may be set to \"Cluster\" (default) or \"Namespace\".", + "type": "string" } }, "required": [ - "priorityLevelConfiguration" + "kind", + "name" ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus": { - "description": "FlowSchemaStatus represents the current state of a FlowSchema.", - "properties": { - "conditions": { - "description": "`conditions` is a list of the current states of FlowSchema.", - "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object" - }, - "io.k8s.api.flowcontrol.v1beta3.GroupSubject": { - "description": "GroupSubject holds detailed information for group-kind subject.", + "io.k8s.api.networking.v1.IngressClassSpec": { + "description": "IngressClassSpec provides information about the class of an Ingress.", "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", + "controller": { + "description": "controller refers to the name of the controller that should handle this class. This allows for different \"flavors\" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. \"acme.io/ingress-controller\". This field is immutable.", "type": "string" + }, + "parameters": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference", + "description": "parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters." } }, - "required": [ - "name" - ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.LimitResponse": { - "description": "LimitResponse defines how to handle requests that can not be executed right now.", + "io.k8s.api.networking.v1.IngressList": { + "description": "IngressList is a collection of Ingress.", "properties": { - "queuing": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration", - "description": "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`." - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" + }, + "items": { + "description": "items is the list of Ingress.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.Ingress" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IngressList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ - "type" + "items" ], "type": "object", - "x-kubernetes-unions": [ + "x-kubernetes-group-version-kind": [ { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } + "group": "networking.k8s.io", + "kind": "IngressList", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration": { - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", + "io.k8s.api.networking.v1.IngressLoadBalancerIngress": { + "description": "IngressLoadBalancerIngress represents the status of a load-balancer ingress point.", "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": "integer" - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": "integer" + "hostname": { + "description": "hostname is set for load-balancer ingress points that are DNS based.", + "type": "string" }, - "limitResponse": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse", - "description": "`limitResponse` indicates what to do with requests that can not be executed right now" + "ip": { + "description": "ip is set for load-balancer ingress points that are IP based.", + "type": "string" }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": "integer" + "ports": { + "description": "ports provides information about the ports exposed by this LoadBalancer.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressPortStatus" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule": { - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", + "io.k8s.api.networking.v1.IngressLoadBalancerStatus": { + "description": "IngressLoadBalancerStatus represents the status of a load-balancer.", "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", + "ingress": { + "description": "ingress is a list containing ingress points for the load-balancer.", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerIngress" }, "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressPortStatus": { + "description": "IngressPortStatus represents the error condition of a service port", + "properties": { + "error": { + "description": "error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase.", + "type": "string" + }, + "port": { + "description": "port is the port number of the ingress port.", + "format": "int32", + "type": "integer" + }, + "protocol": { + "description": "protocol is the protocol of the ingress port. The supported values are: \"TCP\", \"UDP\", \"SCTP\"", + "type": "string" } }, "required": [ - "verbs", - "nonResourceURLs" + "port", + "protocol" ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects": { - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", + "io.k8s.api.networking.v1.IngressRule": { + "description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.", "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", + "host": { + "description": "host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nhost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.", + "type": "string" + }, + "http": { + "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressRuleValue" + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressServiceBackend": { + "description": "IngressServiceBackend references a Kubernetes Service as a Backend.", + "properties": { + "name": { + "description": "name is the referenced service. The service must exist in the same namespace as the Ingress object.", + "type": "string" + }, + "port": { + "$ref": "#/definitions/io.k8s.api.networking.v1.ServiceBackendPort", + "description": "port of the referenced service. A port name or port number is required for a IngressServiceBackend." + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "io.k8s.api.networking.v1.IngressSpec": { + "description": "IngressSpec describes the Ingress the user wishes to exist.", + "properties": { + "defaultBackend": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", + "description": "defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller." + }, + "ingressClassName": { + "description": "ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.", + "type": "string" + }, + "rules": { + "description": "rules is a list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressRule" }, "type": "array", "x-kubernetes-list-type": "atomic" }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", + "tls": { + "description": "tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressTLS" }, "type": "array", "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressStatus": { + "description": "IngressStatus describe the current state of the Ingress.", + "properties": { + "loadBalancer": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerStatus", + "description": "loadBalancer contains the current status of the load-balancer." + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressTLS": { + "description": "IngressTLS describes the transport layer security associated with an ingress.", + "properties": { + "hosts": { + "description": "hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject" + "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" + }, + "secretName": { + "description": "secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the \"Host\" header is used for routing.", + "type": "string" } }, - "required": [ - "subjects" - ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration": { - "description": "PriorityLevelConfiguration represents the configuration of a priority level.", + "io.k8s.api.networking.v1.NetworkPolicy": { + "description": "NetworkPolicy describes what network traffic is allowed for a set of Pods", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -13747,68 +13643,82 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PriorityLevelConfiguration" + "NetworkPolicy" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec", - "description": "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - }, - "status": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus", - "description": "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec", + "description": "spec represents the specification of the desired behavior for this NetworkPolicy." } }, "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfiguration", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "NetworkPolicy", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition": { - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", + "io.k8s.api.networking.v1.NetworkPolicyEgressRule": { + "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8", "properties": { - "lastTransitionTime": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", - "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": "string" - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": "string" + "ports": { + "description": "ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": "string" + "to": { + "description": "to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.NetworkPolicyIngressRule": { + "description": "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.", + "properties": { + "from": { + "description": "from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": "string" + "ports": { + "description": "ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationList": { - "description": "PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.", + "io.k8s.api.networking.v1.NetworkPolicyList": { + "description": "NetworkPolicyList is a list of NetworkPolicy objects.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "`items` is a list of request-priorities.", + "description": "items is a list of schema objects.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicy" }, "type": "array" }, @@ -13816,12 +13726,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PriorityLevelConfigurationList" + "NetworkPolicyList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ @@ -13830,270 +13740,213 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfigurationList", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "NetworkPolicyList", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference": { - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", + "io.k8s.api.networking.v1.NetworkPolicyPeer": { + "description": "NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed", "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": "string" + "ipBlock": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IPBlock", + "description": "ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be." + }, + "namespaceSelector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector." + }, + "podSelector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace." } }, - "required": [ - "name" - ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec": { - "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", + "io.k8s.api.networking.v1.NetworkPolicyPort": { + "description": "NetworkPolicyPort describes a port to allow traffic on", "properties": { - "exempt": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration", - "description": "`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply." + "endPort": { + "description": "endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.", + "format": "int32", + "type": "integer" }, - "limited": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration", - "description": "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`." + "port": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", + "description": "port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched." }, - "type": { - "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", + "protocol": { + "description": "protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.", "type": "string" } }, - "required": [ - "type" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "exempt": "Exempt", - "limited": "Limited" - } - } - ] + "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus": { - "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", - "properties": { - "conditions": { - "description": "`conditions` is the current state of \"request-priority\".", - "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object" - }, - "io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": "integer" - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": "integer" - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": "integer" - } - }, - "type": "object" - }, - "io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule": { - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", + "io.k8s.api.networking.v1.NetworkPolicySpec": { + "description": "NetworkPolicySpec provides the specification of a NetworkPolicy", "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", + "egress": { + "description": "egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule" }, "type": "array", - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": "boolean" + "x-kubernetes-list-type": "atomic" }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", + "ingress": { + "description": "ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule" }, "type": "array", - "x-kubernetes-list-type": "set" + "x-kubernetes-list-type": "atomic" }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" + "podSelector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace." }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", + "policyTypes": { + "description": "policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8", "items": { "type": "string" }, "type": "array", - "x-kubernetes-list-type": "set" + "x-kubernetes-list-type": "atomic" } }, "required": [ - "verbs", - "apiGroups", - "resources" + "podSelector" ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", + "io.k8s.api.networking.v1.ServiceBackendPort": { + "description": "ServiceBackendPort is the service port being referenced.", "properties": { "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", + "description": "name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".", "type": "string" }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": "string" + "number": { + "description": "number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".", + "format": "int32", + "type": "integer" } }, - "required": [ - "namespace", - "name" - ], - "type": "object" + "type": "object", + "x-kubernetes-map-type": "atomic" }, - "io.k8s.api.flowcontrol.v1beta3.Subject": { - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", + "io.k8s.api.networking.v1beta1.IPAddress": { + "description": "IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of the object is the IP address in canonical format, four decimal digits separated by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1", "properties": { - "group": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.GroupSubject", - "description": "`group` matches based on user group name." + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" }, "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": "string" + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IPAddress" + ] }, - "serviceAccount": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject", - "description": "`serviceAccount` matches ServiceAccounts." + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, - "user": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.UserSubject", - "description": "`user` matches based on username." + "spec": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddressSpec", + "description": "spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, - "required": [ - "kind" - ], "type": "object", - "x-kubernetes-unions": [ + "x-kubernetes-group-version-kind": [ { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } + "group": "networking.k8s.io", + "kind": "IPAddress", + "version": "v1beta1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.UserSubject": { - "description": "UserSubject holds detailed information for user-kind subject.", + "io.k8s.api.networking.v1beta1.IPAddressList": { + "description": "IPAddressList contains a list of IPAddress.", "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" - } - }, - "required": [ - "name" - ], - "type": "object" - }, - "io.k8s.api.networking.v1.HTTPIngressPath": { - "description": "HTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.", - "properties": { - "backend": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", - "description": "backend defines the referenced service endpoint to which the traffic will be forwarded to." }, - "path": { - "description": "path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value \"Exact\" or \"Prefix\".", - "type": "string" + "items": { + "description": "items is the list of IPAddresses.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddress" + }, + "type": "array" }, - "pathType": { - "description": "pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is\n done on a path element by element basis. A path element refers is the\n list of labels in the path split by the '/' separator. A request is a\n match for path p if every p is an element-wise prefix of p of the\n request path. Note that if the last element of the path is a substring\n of the last element in request path, it is not a match (e.g. /foo/bar\n matches /foo/bar/baz, but does not match /foo/barbaz).\n* ImplementationSpecific: Interpretation of the Path matching is up to\n the IngressClass. Implementations can treat this as a separate PathType\n or treat it identically to Prefix or Exact path types.\nImplementations are required to support all path types.", - "type": "string" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IPAddressList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ - "pathType", - "backend" + "items" ], - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "IPAddressList", + "version": "v1beta1" + } + ] }, - "io.k8s.api.networking.v1.HTTPIngressRuleValue": { - "description": "HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.", + "io.k8s.api.networking.v1beta1.IPAddressSpec": { + "description": "IPAddressSpec describe the attributes in an IP Address.", "properties": { - "paths": { - "description": "paths is a collection of paths that map requests to backends.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressPath" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "parentRef": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ParentReference", + "description": "ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object." } }, "required": [ - "paths" + "parentRef" ], "type": "object" }, - "io.k8s.api.networking.v1.IPBlock": { - "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.", + "io.k8s.api.networking.v1beta1.ParentReference": { + "description": "ParentReference describes a reference to a parent object.", "properties": { - "cidr": { - "description": "cidr is a string representing the IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"", + "group": { + "description": "Group is the group of the object being referenced.", "type": "string" }, - "except": { - "description": "except is a slice of CIDRs that should not be included within an IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the cidr range", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "name": { + "description": "Name is the name of the object being referenced.", + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the object being referenced.", + "type": "string" + }, + "resource": { + "description": "Resource is the resource of the object being referenced.", + "type": "string" } }, "required": [ - "cidr" + "resource", + "name" ], "type": "object" }, - "io.k8s.api.networking.v1.Ingress": { - "description": "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.", + "io.k8s.api.networking.v1beta1.ServiceCIDR": { + "description": "ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to allocate ClusterIPs to Service objects.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14103,7 +13956,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "Ingress" + "ServiceCIDR" ] }, "metadata": { @@ -14111,80 +13964,161 @@ "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressSpec", - "description": "spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRSpec", + "description": "spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" }, "status": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressStatus", - "description": "status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRStatus", + "description": "status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "networking.k8s.io", - "kind": "Ingress", - "version": "v1" + "kind": "ServiceCIDR", + "version": "v1beta1" } ] }, - "io.k8s.api.networking.v1.IngressBackend": { - "description": "IngressBackend describes all endpoints for a given service and port.", - "properties": { - "resource": { - "$ref": "#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference", - "description": "resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\"." + "io.k8s.api.networking.v1beta1.ServiceCIDRList": { + "description": "ServiceCIDRList contains a list of ServiceCIDR objects.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" }, - "service": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressServiceBackend", - "description": "service references a service as a backend. This is a mutually exclusive setting with \"Resource\"." + "items": { + "description": "items is the list of ServiceCIDRs.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDR" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ServiceCIDRList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "ServiceCIDRList", + "version": "v1beta1" + } + ] + }, + "io.k8s.api.networking.v1beta1.ServiceCIDRSpec": { + "description": "ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services.", + "properties": { + "cidrs": { + "description": "CIDRs defines the IP blocks in CIDR notation (e.g. \"192.168.0.0/24\" or \"2001:db8::/64\") from which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family. This field is immutable.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.networking.v1.IngressClass": { - "description": "IngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.", + "io.k8s.api.networking.v1beta1.ServiceCIDRStatus": { + "description": "ServiceCIDRStatus describes the current state of the ServiceCIDR.", + "properties": { + "conditions": { + "description": "conditions holds an array of metav1.Condition that describe the state of the ServiceCIDR. Current service state", + "items": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge" + } + }, + "type": "object" + }, + "io.k8s.api.node.v1.Overhead": { + "description": "Overhead structure represents the resource overhead associated with running a pod.", + "properties": { + "podFixed": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + }, + "description": "podFixed represents the fixed resource overhead associated with running a pod.", + "type": "object" + } + }, + "type": "object" + }, + "io.k8s.api.node.v1.RuntimeClass": { + "description": "RuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod. For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, + "handler": { + "description": "handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration. It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called \"runc\" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.", + "type": "string" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IngressClass" + "RuntimeClass" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassSpec", - "description": "spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "overhead": { + "$ref": "#/definitions/io.k8s.api.node.v1.Overhead", + "description": "overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/" + }, + "scheduling": { + "$ref": "#/definitions/io.k8s.api.node.v1.Scheduling", + "description": "scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes." } }, + "required": [ + "handler" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IngressClass", + "group": "node.k8s.io", + "kind": "RuntimeClass", "version": "v1" } ] }, - "io.k8s.api.networking.v1.IngressClassList": { - "description": "IngressClassList is a collection of IngressClasses.", + "io.k8s.api.node.v1.RuntimeClassList": { + "description": "RuntimeClassList is a list of RuntimeClass objects.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is the list of IngressClasses.", + "description": "items is a list of schema objects.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClass" + "$ref": "#/definitions/io.k8s.api.node.v1.RuntimeClass" }, "type": "array" }, @@ -14192,12 +14126,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IngressClassList" + "RuntimeClassList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard list metadata." + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ @@ -14206,67 +14140,113 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IngressClassList", + "group": "node.k8s.io", + "kind": "RuntimeClassList", "version": "v1" } ] }, - "io.k8s.api.networking.v1.IngressClassParametersReference": { - "description": "IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.", + "io.k8s.api.node.v1.Scheduling": { + "description": "Scheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.", "properties": { - "apiGroup": { - "description": "apiGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.", - "type": "string" + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "description": "nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.", + "type": "object", + "x-kubernetes-map-type": "atomic" }, - "kind": { - "description": "kind is the type of resource being referenced.", + "tolerations": { + "description": "tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.", + "items": { + "$ref": "#/definitions/io.k8s.api.core.v1.Toleration" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.policy.v1.Eviction": { + "description": "Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "name": { - "description": "name is the name of resource being referenced.", - "type": "string" + "deleteOptions": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions", + "description": "DeleteOptions may be provided" }, - "namespace": { - "description": "namespace is the namespace of the resource being referenced. This field is required when scope is set to \"Namespace\" and must be unset when scope is set to \"Cluster\".", - "type": "string" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "Eviction" + ] }, - "scope": { - "description": "scope represents if this refers to a cluster or namespace scoped resource. This may be set to \"Cluster\" (default) or \"Namespace\".", - "type": "string" + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "ObjectMeta describes the pod that is being evicted." } }, - "required": [ - "kind", - "name" - ], - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "policy", + "kind": "Eviction", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1.IngressClassSpec": { - "description": "IngressClassSpec provides information about the class of an Ingress.", + "io.k8s.api.policy.v1.PodDisruptionBudget": { + "description": "PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods", "properties": { - "controller": { - "description": "controller refers to the name of the controller that should handle this class. This allows for different \"flavors\" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. \"acme.io/ingress-controller\". This field is immutable.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "parameters": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference", - "description": "parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters." + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "PodDisruptionBudget" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec", + "description": "Specification of the desired behavior of the PodDisruptionBudget." + }, + "status": { + "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus", + "description": "Most recently observed status of the PodDisruptionBudget." } }, - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "policy", + "kind": "PodDisruptionBudget", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1.IngressList": { - "description": "IngressList is a collection of Ingress.", + "io.k8s.api.policy.v1.PodDisruptionBudgetList": { + "description": "PodDisruptionBudgetList is a collection of PodDisruptionBudgets.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is the list of Ingress.", + "description": "Items is a list of PodDisruptionBudgets", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.Ingress" + "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget" }, "type": "array" }, @@ -14274,7 +14254,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IngressList" + "PodDisruptionBudgetList" ] }, "metadata": { @@ -14288,246 +14268,238 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IngressList", + "group": "policy", + "kind": "PodDisruptionBudgetList", "version": "v1" } ] }, - "io.k8s.api.networking.v1.IngressLoadBalancerIngress": { - "description": "IngressLoadBalancerIngress represents the status of a load-balancer ingress point.", + "io.k8s.api.policy.v1.PodDisruptionBudgetSpec": { + "description": "PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.", "properties": { - "hostname": { - "description": "hostname is set for load-balancer ingress points that are DNS based.", - "type": "string" - }, - "ip": { - "description": "ip is set for load-balancer ingress points that are IP based.", - "type": "string" + "maxUnavailable": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", + "description": "An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\"." }, - "ports": { - "description": "ports provides information about the ports exposed by this LoadBalancer.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressPortStatus" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "minAvailable": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", + "description": "An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying \"100%\"." + }, + "selector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.", + "x-kubernetes-patch-strategy": "replace" + }, + "unhealthyPodEvictionPolicy": { + "description": "UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=\"Ready\",status=\"True\".\n\nValid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.\n\nIfHealthyBudget policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.\n\nAlwaysAllow policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n\nAdditional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.\n\nThis field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).", + "type": "string" } }, "type": "object" }, - "io.k8s.api.networking.v1.IngressLoadBalancerStatus": { - "description": "IngressLoadBalancerStatus represents the status of a load-balancer.", + "io.k8s.api.policy.v1.PodDisruptionBudgetStatus": { + "description": "PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.", "properties": { - "ingress": { - "description": "ingress is a list containing ingress points for the load-balancer.", + "conditions": { + "description": "Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute\n the number of allowed disruptions. Therefore no disruptions are\n allowed and the status of the condition will be False.\n- InsufficientPods: The number of pods are either at or below the number\n required by the PodDisruptionBudget. No disruptions are\n allowed and the status of the condition will be False.\n- SufficientPods: There are more pods than required by the PodDisruptionBudget.\n The condition will be True, and the number of allowed\n disruptions are provided by the disruptionsAllowed property.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerIngress" + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" }, "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.IngressPortStatus": { - "description": "IngressPortStatus represents the error condition of a service port", - "properties": { - "error": { - "description": "error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase.", - "type": "string" + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge" }, - "port": { - "description": "port is the port number of the ingress port.", + "currentHealthy": { + "description": "current number of healthy pods", "format": "int32", "type": "integer" }, - "protocol": { - "description": "protocol is the protocol of the ingress port. The supported values are: \"TCP\", \"UDP\", \"SCTP\"", - "type": "string" + "desiredHealthy": { + "description": "minimum desired number of healthy pods", + "format": "int32", + "type": "integer" + }, + "disruptedPods": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "description": "DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.", + "type": "object" + }, + "disruptionsAllowed": { + "description": "Number of pod disruptions that are currently allowed.", + "format": "int32", + "type": "integer" + }, + "expectedPods": { + "description": "total number of pods counted by this disruption budget", + "format": "int32", + "type": "integer" + }, + "observedGeneration": { + "description": "Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.", + "format": "int64", + "type": "integer" } }, "required": [ - "port", - "protocol" + "disruptionsAllowed", + "currentHealthy", + "desiredHealthy", + "expectedPods" ], "type": "object" }, - "io.k8s.api.networking.v1.IngressRule": { - "description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.", + "io.k8s.api.rbac.v1.AggregationRule": { + "description": "AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole", "properties": { - "host": { - "description": "host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nhost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.", - "type": "string" - }, - "http": { - "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressRuleValue" + "clusterRoleSelectors": { + "description": "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added", + "items": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.networking.v1.IngressServiceBackend": { - "description": "IngressServiceBackend references a Kubernetes Service as a Backend.", + "io.k8s.api.rbac.v1.ClusterRole": { + "description": "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.", "properties": { - "name": { - "description": "name is the referenced service. The service must exist in the same namespace as the Ingress object.", + "aggregationRule": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.AggregationRule", + "description": "AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller." + }, + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "port": { - "$ref": "#/definitions/io.k8s.api.networking.v1.ServiceBackendPort", - "description": "port of the referenced service. A port name or port number is required for a IngressServiceBackend." - } - }, - "required": [ - "name" - ], - "type": "object" - }, - "io.k8s.api.networking.v1.IngressSpec": { - "description": "IngressSpec describes the Ingress the user wishes to exist.", - "properties": { - "defaultBackend": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", - "description": "defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller." + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ClusterRole" + ] }, - "ingressClassName": { - "description": "ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.", - "type": "string" + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata." }, "rules": { - "description": "rules is a list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressRule" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "tls": { - "description": "tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.", + "description": "Rules holds all the PolicyRules for this ClusterRole", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressTLS" + "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, - "type": "object" - }, - "io.k8s.api.networking.v1.IngressStatus": { - "description": "IngressStatus describe the current state of the Ingress.", - "properties": { - "loadBalancer": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerStatus", - "description": "loadBalancer contains the current status of the load-balancer." + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "version": "v1" } - }, - "type": "object" + ] }, - "io.k8s.api.networking.v1.IngressTLS": { - "description": "IngressTLS describes the transport layer security associated with an ingress.", + "io.k8s.api.rbac.v1.ClusterRoleBinding": { + "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "properties": { - "hosts": { - "description": "hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ClusterRoleBinding" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata." + }, + "roleRef": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", + "description": "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + }, + "subjects": { + "description": "Subjects holds references to the objects the role applies to.", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" }, "type": "array", "x-kubernetes-list-type": "atomic" - }, - "secretName": { - "description": "secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the \"Host\" header is used for routing.", - "type": "string" } }, - "type": "object" + "required": [ + "roleRef" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRoleBinding", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1.NetworkPolicy": { - "description": "NetworkPolicy describes what network traffic is allowed for a set of Pods", + "io.k8s.api.rbac.v1.ClusterRoleBindingList": { + "description": "ClusterRoleBindingList is a collection of ClusterRoleBindings", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, + "items": { + "description": "Items is a list of ClusterRoleBindings", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding" + }, + "type": "array" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "NetworkPolicy" + "ClusterRoleBindingList" ] }, "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec", - "description": "spec represents the specification of the desired behavior for this NetworkPolicy." + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata." } }, + "required": [ + "items" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "NetworkPolicy", + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRoleBindingList", "version": "v1" } ] }, - "io.k8s.api.networking.v1.NetworkPolicyEgressRule": { - "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8", - "properties": { - "ports": { - "description": "ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "to": { - "description": "to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.NetworkPolicyIngressRule": { - "description": "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.", - "properties": { - "from": { - "description": "from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "ports": { - "description": "ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.NetworkPolicyList": { - "description": "NetworkPolicyList is a list of NetworkPolicy objects.", + "io.k8s.api.rbac.v1.ClusterRoleList": { + "description": "ClusterRoleList is a collection of ClusterRoles", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is a list of schema objects.", + "description": "Items is a list of ClusterRoles", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicy" + "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRole" }, "type": "array" }, @@ -14535,12 +14507,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "NetworkPolicyList" + "ClusterRoleList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." } }, "required": [ @@ -14549,74 +14521,49 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "NetworkPolicyList", + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRoleList", "version": "v1" } ] }, - "io.k8s.api.networking.v1.NetworkPolicyPeer": { - "description": "NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed", - "properties": { - "ipBlock": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IPBlock", - "description": "ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be." - }, - "namespaceSelector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector." - }, - "podSelector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace." - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.NetworkPolicyPort": { - "description": "NetworkPolicyPort describes a port to allow traffic on", + "io.k8s.api.rbac.v1.PolicyRule": { + "description": "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.", "properties": { - "endPort": { - "description": "endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.", - "format": "int32", - "type": "integer" - }, - "port": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", - "description": "port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched." + "apiGroups": { + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "protocol": { - "description": "protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.", - "type": "string" - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.NetworkPolicySpec": { - "description": "NetworkPolicySpec provides the specification of a NetworkPolicy", - "properties": { - "egress": { - "description": "egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8", + "nonResourceURLs": { + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule" + "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, - "ingress": { - "description": "ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)", + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule" + "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, - "podSelector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace." + "resources": { + "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "policyTypes": { - "description": "policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8", + "verbs": { + "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", "items": { "type": "string" }, @@ -14625,28 +14572,48 @@ } }, "required": [ - "podSelector" + "verbs" ], "type": "object" }, - "io.k8s.api.networking.v1.ServiceBackendPort": { - "description": "ServiceBackendPort is the service port being referenced.", + "io.k8s.api.rbac.v1.Role": { + "description": "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.", "properties": { - "name": { - "description": "name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "number": { - "description": "number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".", - "format": "int32", - "type": "integer" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "Role" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata." + }, + "rules": { + "description": "Rules holds all the PolicyRules for this Role", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object", - "x-kubernetes-map-type": "atomic" + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "Role", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1beta1.IPAddress": { - "description": "IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of the object is the IP address in canonical format, four decimal digits separated by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1", + "io.k8s.api.rbac.v1.RoleBinding": { + "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14656,38 +14623,49 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IPAddress" + "RoleBinding" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddressSpec", - "description": "spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "roleRef": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", + "description": "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + }, + "subjects": { + "description": "Subjects holds references to the objects the role applies to.", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, + "required": [ + "roleRef" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IPAddress", - "version": "v1beta1" + "group": "rbac.authorization.k8s.io", + "kind": "RoleBinding", + "version": "v1" } ] }, - "io.k8s.api.networking.v1beta1.IPAddressList": { - "description": "IPAddressList contains a list of IPAddress.", + "io.k8s.api.rbac.v1.RoleBindingList": { + "description": "RoleBindingList is a collection of RoleBindings", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is the list of IPAddresses.", + "description": "Items is a list of RoleBindings", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddress" + "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleBinding" }, "type": "array" }, @@ -14695,12 +14673,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IPAddressList" + "RoleBindingList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." } }, "required": [ @@ -14709,267 +14687,205 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IPAddressList", - "version": "v1beta1" + "group": "rbac.authorization.k8s.io", + "kind": "RoleBindingList", + "version": "v1" } ] }, - "io.k8s.api.networking.v1beta1.IPAddressSpec": { - "description": "IPAddressSpec describe the attributes in an IP Address.", + "io.k8s.api.rbac.v1.RoleList": { + "description": "RoleList is a collection of Roles", "properties": { - "parentRef": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ParentReference", - "description": "ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object." + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "Items is a list of Roles", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.Role" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "RoleList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata." } }, "required": [ - "parentRef" + "items" ], - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "RoleList", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1beta1.ParentReference": { - "description": "ParentReference describes a reference to a parent object.", + "io.k8s.api.rbac.v1.RoleRef": { + "description": "RoleRef contains information that points to the role being used", "properties": { - "group": { - "description": "Group is the group of the object being referenced.", - "type": "string" - }, - "name": { - "description": "Name is the name of the object being referenced.", + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced", "type": "string" }, - "namespace": { - "description": "Namespace is the namespace of the object being referenced.", + "kind": { + "description": "Kind is the type of resource being referenced", "type": "string" }, - "resource": { - "description": "Resource is the resource of the object being referenced.", + "name": { + "description": "Name is the name of resource being referenced", "type": "string" } }, "required": [ - "resource", + "apiGroup", + "kind", "name" ], - "type": "object" + "type": "object", + "x-kubernetes-map-type": "atomic" }, - "io.k8s.api.networking.v1beta1.ServiceCIDR": { - "description": "ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to allocate ClusterIPs to Service objects.", + "io.k8s.api.rbac.v1.Subject": { + "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "apiGroup": { + "description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", "type": "string" }, "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ServiceCIDR" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRSpec", - "description": "spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - }, - "status": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRStatus", - "description": "status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - } - }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "networking.k8s.io", - "kind": "ServiceCIDR", - "version": "v1beta1" - } - ] - }, - "io.k8s.api.networking.v1beta1.ServiceCIDRList": { - "description": "ServiceCIDRList contains a list of ServiceCIDR objects.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.", "type": "string" }, - "items": { - "description": "items is the list of ServiceCIDRs.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDR" - }, - "type": "array" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ServiceCIDRList" - ] + "name": { + "description": "Name of the object being referenced.", + "type": "string" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "namespace": { + "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.", + "type": "string" } }, "required": [ - "items" + "kind", + "name" ], "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "networking.k8s.io", - "kind": "ServiceCIDRList", - "version": "v1beta1" - } - ] + "x-kubernetes-map-type": "atomic" }, - "io.k8s.api.networking.v1beta1.ServiceCIDRSpec": { - "description": "ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services.", + "io.k8s.api.resource.v1alpha3.AllocationResult": { + "description": "AllocationResult contains attributes of an allocated resource.", "properties": { - "cidrs": { - "description": "CIDRs defines the IP blocks in CIDR notation (e.g. \"192.168.0.0/24\" or \"2001:db8::/64\") from which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family. This field is immutable.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "devices": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationResult", + "description": "Devices is the result of allocating devices." + }, + "nodeSelector": { + "$ref": "#/definitions/io.k8s.api.core.v1.NodeSelector", + "description": "NodeSelector defines where the allocated resources are available. If unset, they are available everywhere." } }, "type": "object" }, - "io.k8s.api.networking.v1beta1.ServiceCIDRStatus": { - "description": "ServiceCIDRStatus describes the current state of the ServiceCIDR.", + "io.k8s.api.resource.v1alpha3.BasicDevice": { + "description": "BasicDevice defines one device instance.", "properties": { - "conditions": { - "description": "conditions holds an array of metav1.Condition that describe the state of the ServiceCIDR. Current service state", - "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + "attributes": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAttribute" }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object" - }, - "io.k8s.api.node.v1.Overhead": { - "description": "Overhead structure represents the resource overhead associated with running a pod.", - "properties": { - "podFixed": { + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": "object" + }, + "capacity": { "additionalProperties": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" }, - "description": "podFixed represents the fixed resource overhead associated with running a pod.", + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": "object" } }, "type": "object" }, - "io.k8s.api.node.v1.RuntimeClass": { - "description": "RuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod. For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/", + "io.k8s.api.resource.v1alpha3.CELDeviceSelector": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", "type": "string" + } + }, + "required": [ + "expression" + ], + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.Device": { + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", + "properties": { + "basic": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.BasicDevice", + "description": "Basic defines one device instance." }, - "handler": { - "description": "handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration. It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called \"runc\" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.", + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "RuntimeClass" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "overhead": { - "$ref": "#/definitions/io.k8s.api.node.v1.Overhead", - "description": "overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/" - }, - "scheduling": { - "$ref": "#/definitions/io.k8s.api.node.v1.Scheduling", - "description": "scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes." } }, "required": [ - "handler" + "name" ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "node.k8s.io", - "kind": "RuntimeClass", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.node.v1.RuntimeClassList": { - "description": "RuntimeClassList is a list of RuntimeClass objects.", + "io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" + "opaque": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." }, - "items": { - "description": "items is a list of schema objects.", + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", "items": { - "$ref": "#/definitions/io.k8s.api.node.v1.RuntimeClass" + "type": "string" }, - "type": "array" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "RuntimeClassList" - ] + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" } }, "required": [ - "items" + "source" ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "node.k8s.io", - "kind": "RuntimeClassList", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.node.v1.Scheduling": { - "description": "Scheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.", + "io.k8s.api.resource.v1alpha3.DeviceAllocationResult": { + "description": "DeviceAllocationResult is the result of allocating devices.", "properties": { - "nodeSelector": { - "additionalProperties": { - "type": "string" + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration" }, - "description": "nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.", - "type": "object", - "x-kubernetes-map-type": "atomic" + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "tolerations": { - "description": "tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.", + "results": { + "description": "Results lists all allocated devices.", "items": { - "$ref": "#/definitions/io.k8s.api.core.v1.Toleration" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -14977,40 +14893,79 @@ }, "type": "object" }, - "io.k8s.api.policy.v1.Eviction": { - "description": "Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.", + "io.k8s.api.resource.v1alpha3.DeviceAttribute": { + "description": "DeviceAttribute must have exactly one field set.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "bool": { + "description": "BoolValue is a true/false value.", + "type": "boolean" + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": "integer" + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", "type": "string" }, - "deleteOptions": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions", - "description": "DeleteOptions may be provided" + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": "string" + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceClaim": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "Eviction" - ] + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceConstraint" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "ObjectMeta describes the pod that is being evicted." + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequest" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "policy", - "kind": "Eviction", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.policy.v1.PodDisruptionBudget": { - "description": "PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods", + "io.k8s.api.resource.v1alpha3.DeviceClass": { + "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15020,42 +14975,51 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PodDisruptionBudget" + "DeviceClass" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec", - "description": "Specification of the desired behavior of the PodDisruptionBudget." - }, - "status": { - "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus", - "description": "Most recently observed status of the PodDisruptionBudget." + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassSpec", + "description": "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number." } }, + "required": [ + "spec" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "policy", - "kind": "PodDisruptionBudget", - "version": "v1" + "group": "resource.k8s.io", + "kind": "DeviceClass", + "version": "v1alpha3" } ] }, - "io.k8s.api.policy.v1.PodDisruptionBudgetList": { - "description": "PodDisruptionBudgetList is a collection of PodDisruptionBudgets.", + "io.k8s.api.resource.v1alpha3.DeviceClassConfiguration": { + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceClassList": { + "description": "DeviceClassList is a collection of classes.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "Items is a list of PodDisruptionBudgets", + "description": "Items is the list of resource classes.", "items": { - "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClass" }, "type": "array" }, @@ -15063,12 +15027,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PodDisruptionBudgetList" + "DeviceClassList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata" } }, "required": [ @@ -15077,148 +15041,153 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "policy", - "kind": "PodDisruptionBudgetList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "DeviceClassList", + "version": "v1alpha3" } ] }, - "io.k8s.api.policy.v1.PodDisruptionBudgetSpec": { - "description": "PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.", + "io.k8s.api.resource.v1alpha3.DeviceClassSpec": { + "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", "properties": { - "maxUnavailable": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", - "description": "An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\"." - }, - "minAvailable": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", - "description": "An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying \"100%\"." - }, - "selector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.", - "x-kubernetes-patch-strategy": "replace" + "config": { + "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassConfiguration" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "unhealthyPodEvictionPolicy": { - "description": "UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=\"Ready\",status=\"True\".\n\nValid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.\n\nIfHealthyBudget policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.\n\nAlwaysAllow policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n\nAdditional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.\n\nThis field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).", - "type": "string" + "selectors": { + "description": "Each selector must be satisfied by a device which is claimed via this class.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.policy.v1.PodDisruptionBudgetStatus": { - "description": "PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.", + "io.k8s.api.resource.v1alpha3.DeviceConstraint": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", "properties": { - "conditions": { - "description": "Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute\n the number of allowed disruptions. Therefore no disruptions are\n allowed and the status of the condition will be False.\n- InsufficientPods: The number of pods are either at or below the number\n required by the PodDisruptionBudget. No disruptions are\n allowed and the status of the condition will be False.\n- SufficientPods: There are more pods than required by the PodDisruptionBudget.\n The condition will be True, and the number of allowed\n disruptions are provided by the disruptionsAllowed property.", + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": "string" + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + "type": "string" }, "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceRequest": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": "boolean" }, - "currentHealthy": { - "description": "current number of healthy pods", - "format": "int32", - "type": "integer" + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": "string" }, - "desiredHealthy": { - "description": "minimum desired number of healthy pods", - "format": "int32", + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", "type": "integer" }, - "disruptedPods": { - "additionalProperties": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" }, - "description": "DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.", - "type": "object" + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": "boolean" }, - "disruptionsAllowed": { - "description": "Number of pod disruptions that are currently allowed.", - "format": "int32", - "type": "integer" + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" }, - "expectedPods": { - "description": "total number of pods counted by this disruption budget", - "format": "int32", - "type": "integer" + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" }, - "observedGeneration": { - "description": "Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.", - "format": "int64", - "type": "integer" + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" } }, "required": [ - "disruptionsAllowed", - "currentHealthy", - "desiredHealthy", - "expectedPods" + "request", + "driver", + "pool", + "device" ], "type": "object" }, - "io.k8s.api.rbac.v1.AggregationRule": { - "description": "AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole", + "io.k8s.api.resource.v1alpha3.DeviceSelector": { + "description": "DeviceSelector must have exactly one field set.", "properties": { - "clusterRoleSelectors": { - "description": "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added", - "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "cel": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.CELDeviceSelector", + "description": "CEL contains a CEL expression for selecting a device." } }, "type": "object" }, - "io.k8s.api.rbac.v1.ClusterRole": { - "description": "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.", + "io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", "properties": { - "aggregationRule": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.AggregationRule", - "description": "AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller." - }, - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterRole" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." - }, - "rules": { - "description": "Rules holds all the PolicyRules for this ClusterRole", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + }, + "parameters": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." } }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRole", - "version": "v1" - } - ] + "required": [ + "driver", + "parameters" + ], + "type": "object" }, - "io.k8s.api.rbac.v1.ClusterRoleBinding": { - "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", + "io.k8s.api.resource.v1alpha3.ResourceClaim": { + "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15228,87 +15197,72 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ClusterRoleBinding" + "ResourceClaim" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." + "description": "Standard object metadata" }, - "roleRef": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", - "description": "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "description": "Spec describes what is being requested and how to configure it. The spec is immutable." }, - "subjects": { - "description": "Subjects holds references to the objects the role applies to.", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "status": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimStatus", + "description": "Status describes whether the claim is ready to use and what has been allocated." } }, "required": [ - "roleRef" + "spec" ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRoleBinding", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceClaim", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.ClusterRoleBindingList": { - "description": "ClusterRoleBindingList is a collection of ClusterRoleBindings", + "io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference": { + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", "type": "string" }, - "items": { - "description": "Items is a list of ClusterRoleBindings", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding" - }, - "type": "array" + "name": { + "description": "Name is the name of resource being referenced.", + "type": "string" }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterRoleBindingList" - ] + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": "string" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": "string" } }, "required": [ - "items" + "resource", + "name", + "uid" ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRoleBindingList", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.rbac.v1.ClusterRoleList": { - "description": "ClusterRoleList is a collection of ClusterRoles", + "io.k8s.api.resource.v1alpha3.ResourceClaimList": { + "description": "ResourceClaimList is a collection of claims.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "Items is a list of ClusterRoles", + "description": "Items is the list of resource claims.", "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRole" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaim" }, "type": "array" }, @@ -15316,12 +15270,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ClusterRoleList" + "ResourceClaimList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "description": "Standard list metadata" } }, "required": [ @@ -15330,63 +15284,47 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRoleList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceClaimList", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.PolicyRule": { - "description": "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.", + "io.k8s.api.resource.v1alpha3.ResourceClaimSpec": { + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", "properties": { - "apiGroups": { - "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "nonResourceURLs": { - "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resourceNames": { - "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resources": { - "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "devices": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaim", + "description": "Devices defines how to request devices." + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.ResourceClaimStatus": { + "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", + "properties": { + "allocation": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.AllocationResult", + "description": "Allocation is set once the claim has been allocated successfully." }, - "verbs": { - "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", + "reservedFor": { + "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference" }, "type": "array", - "x-kubernetes-list-type": "atomic" + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" } }, - "required": [ - "verbs" - ], "type": "object" }, - "io.k8s.api.rbac.v1.Role": { - "description": "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.", + "io.k8s.api.resource.v1alpha3.ResourceClaimTemplate": { + "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15396,123 +15334,156 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "Role" + "ResourceClaimTemplate" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." + "description": "Standard object metadata" }, - "rules": { - "description": "Rules holds all the PolicyRules for this Role", + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec", + "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore." + } + }, + "required": [ + "spec" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplate", + "version": "v1alpha3" + } + ] + }, + "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateList": { + "description": "ResourceClaimTemplateList is a collection of claim templates.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "Items is the list of resource claim templates.", "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplate" }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ResourceClaimTemplateList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard list metadata" } }, + "required": [ + "items" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "Role", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplateList", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.RoleBinding": { - "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", + "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec": { + "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", + "properties": { + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation." + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here." + } + }, + "required": [ + "spec" + ], + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.ResourcePool": { + "description": "ResourcePool describes the pool that ResourceSlices belong to.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "RoleBinding" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": "integer" }, - "roleRef": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", - "description": "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": "string" }, - "subjects": { - "description": "Subjects holds references to the objects the role applies to.", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": "integer" } }, "required": [ - "roleRef" + "name", + "generation", + "resourceSliceCount" ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "rbac.authorization.k8s.io", - "kind": "RoleBinding", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.rbac.v1.RoleBindingList": { - "description": "RoleBindingList is a collection of RoleBindings", + "io.k8s.api.resource.v1alpha3.ResourceSlice": { + "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "items": { - "description": "Items is a list of RoleBindings", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleBinding" - }, - "type": "array" - }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "RoleBindingList" + "ResourceSlice" ] }, "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object metadata" + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec", + "description": "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number." } }, "required": [ - "items" + "spec" ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "RoleBindingList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceSlice", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.RoleList": { - "description": "RoleList is a collection of Roles", + "io.k8s.api.resource.v1alpha3.ResourceSliceList": { + "description": "ResourceSliceList is a collection of ResourceSlices.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "Items is a list of Roles", + "description": "Items is the list of resource ResourceSlices.", "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.Role" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSlice" }, "type": "array" }, @@ -15520,12 +15491,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "RoleList" + "ResourceSliceList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "description": "Standard list metadata" } }, "required": [ @@ -15534,68 +15505,55 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "RoleList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceSliceList", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.RoleRef": { - "description": "RoleRef contains information that points to the role being used", + "io.k8s.api.resource.v1alpha3.ResourceSliceSpec": { + "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", "properties": { - "apiGroup": { - "description": "APIGroup is the group for the resource being referenced", - "type": "string" + "allNodes": { + "description": "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set.", + "type": "boolean" }, - "kind": { - "description": "Kind is the type of resource being referenced", - "type": "string" + "devices": { + "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.Device" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "name": { - "description": "Name is the name of resource being referenced", - "type": "string" - } - }, - "required": [ - "apiGroup", - "kind", - "name" - ], - "type": "object", - "x-kubernetes-map-type": "atomic" - }, - "io.k8s.api.rbac.v1.Subject": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.", - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", + "driver": { + "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.", "type": "string" }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.", + "nodeName": { + "description": "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set. This field is immutable.", "type": "string" }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" + "nodeSelector": { + "$ref": "#/definitions/io.k8s.api.core.v1.NodeSelector", + "description": "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set." }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.", - "type": "string" + "pool": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourcePool", + "description": "Pool describes the pool that this ResourceSlice belongs to." } }, "required": [ - "kind", - "name" + "driver", + "pool" ], - "type": "object", - "x-kubernetes-map-type": "atomic" + "type": "object" }, - "io.k8s.api.resource.v1alpha3.AllocationResult": { + "io.k8s.api.resource.v1beta1.AllocationResult": { "description": "AllocationResult contains attributes of an allocated resource.", "properties": { "devices": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationResult", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult", "description": "Devices is the result of allocating devices." }, "nodeSelector": { @@ -15605,19 +15563,19 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.BasicDevice": { + "io.k8s.api.resource.v1beta1.BasicDevice": { "description": "BasicDevice defines one device instance.", "properties": { "attributes": { "additionalProperties": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAttribute" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute" }, "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": "object" }, "capacity": { "additionalProperties": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity" }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": "object" @@ -15625,7 +15583,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.CELDeviceSelector": { + "io.k8s.api.resource.v1beta1.CELDeviceSelector": { "description": "CELDeviceSelector contains a CEL expression for selecting a device.", "properties": { "expression": { @@ -15638,11 +15596,11 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.Device": { + "io.k8s.api.resource.v1beta1.Device": { "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", "properties": { "basic": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.BasicDevice", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.BasicDevice", "description": "Basic defines one device instance." }, "name": { @@ -15655,11 +15613,11 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration": { + "io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration": { "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", "properties": { "opaque": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." }, "requests": { @@ -15680,13 +15638,13 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceAllocationResult": { + "io.k8s.api.resource.v1beta1.DeviceAllocationResult": { "description": "DeviceAllocationResult is the result of allocating devices.", "properties": { "config": { "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15694,7 +15652,7 @@ "results": { "description": "Results lists all allocated devices.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15702,7 +15660,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceAttribute": { + "io.k8s.api.resource.v1beta1.DeviceAttribute": { "description": "DeviceAttribute must have exactly one field set.", "properties": { "bool": { @@ -15725,13 +15683,26 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceClaim": { + "io.k8s.api.resource.v1beta1.DeviceCapacity": { + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity", + "description": "Value defines how much of a certain device capacity is available." + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "io.k8s.api.resource.v1beta1.DeviceClaim": { "description": "DeviceClaim defines how to request devices with a ResourceClaim.", "properties": { "config": { "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15739,7 +15710,7 @@ "constraints": { "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceConstraint" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15747,7 +15718,7 @@ "requests": { "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequest" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15755,11 +15726,11 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration": { + "io.k8s.api.resource.v1beta1.DeviceClaimConfiguration": { "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", "properties": { "opaque": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." }, "requests": { @@ -15773,7 +15744,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceClass": { + "io.k8s.api.resource.v1beta1.DeviceClass": { "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -15792,7 +15763,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec", "description": "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number." } }, @@ -15804,21 +15775,21 @@ { "group": "resource.k8s.io", "kind": "DeviceClass", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.DeviceClassConfiguration": { + "io.k8s.api.resource.v1beta1.DeviceClassConfiguration": { "description": "DeviceClassConfiguration is used in DeviceClass.", "properties": { "opaque": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." } }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceClassList": { + "io.k8s.api.resource.v1beta1.DeviceClassList": { "description": "DeviceClassList is a collection of classes.", "properties": { "apiVersion": { @@ -15828,7 +15799,7 @@ "items": { "description": "Items is the list of resource classes.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClass" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClass" }, "type": "array" }, @@ -15852,17 +15823,17 @@ { "group": "resource.k8s.io", "kind": "DeviceClassList", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.DeviceClassSpec": { + "io.k8s.api.resource.v1beta1.DeviceClassSpec": { "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", "properties": { "config": { "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassConfiguration" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15870,7 +15841,7 @@ "selectors": { "description": "Each selector must be satisfied by a device which is claimed via this class.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15878,7 +15849,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceConstraint": { + "io.k8s.api.resource.v1beta1.DeviceConstraint": { "description": "DeviceConstraint must have exactly one field set besides Requests.", "properties": { "matchAttribute": { @@ -15896,7 +15867,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceRequest": { + "io.k8s.api.resource.v1beta1.DeviceRequest": { "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", "properties": { "adminAccess": { @@ -15923,7 +15894,7 @@ "selectors": { "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15935,7 +15906,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult": { + "io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult": { "description": "DeviceRequestAllocationResult contains the allocation result for one request.", "properties": { "adminAccess": { @@ -15967,17 +15938,17 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceSelector": { + "io.k8s.api.resource.v1beta1.DeviceSelector": { "description": "DeviceSelector must have exactly one field set.", "properties": { "cel": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.CELDeviceSelector", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector", "description": "CEL contains a CEL expression for selecting a device." } }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration": { + "io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration": { "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", "properties": { "driver": { @@ -15986,7 +15957,7 @@ }, "parameters": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", - "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions." + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." } }, "required": [ @@ -15995,7 +15966,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceClaim": { + "io.k8s.api.resource.v1beta1.ResourceClaim": { "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16014,11 +15985,11 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", "description": "Spec describes what is being requested and how to configure it. The spec is immutable." }, "status": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimStatus", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus", "description": "Status describes whether the claim is ready to use and what has been allocated." } }, @@ -16030,11 +16001,11 @@ { "group": "resource.k8s.io", "kind": "ResourceClaim", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference": { + "io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference": { "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", "properties": { "apiGroup": { @@ -16061,7 +16032,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceClaimList": { + "io.k8s.api.resource.v1beta1.ResourceClaimList": { "description": "ResourceClaimList is a collection of claims.", "properties": { "apiVersion": { @@ -16071,7 +16042,7 @@ "items": { "description": "Items is the list of resource claims.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaim" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim" }, "type": "array" }, @@ -16095,31 +16066,31 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimList", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceClaimSpec": { + "io.k8s.api.resource.v1beta1.ResourceClaimSpec": { "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", "properties": { "devices": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaim", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim", "description": "Devices defines how to request devices." } }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceClaimStatus": { + "io.k8s.api.resource.v1beta1.ResourceClaimStatus": { "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", "properties": { "allocation": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.AllocationResult", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.AllocationResult", "description": "Allocation is set once the claim has been allocated successfully." }, "reservedFor": { "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference" }, "type": "array", "x-kubernetes-list-map-keys": [ @@ -16132,7 +16103,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceClaimTemplate": { + "io.k8s.api.resource.v1beta1.ResourceClaimTemplate": { "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16151,7 +16122,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec", "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore." } }, @@ -16163,11 +16134,11 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplate", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateList": { + "io.k8s.api.resource.v1beta1.ResourceClaimTemplateList": { "description": "ResourceClaimTemplateList is a collection of claim templates.", "properties": { "apiVersion": { @@ -16177,7 +16148,7 @@ "items": { "description": "Items is the list of resource claim templates.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplate" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate" }, "type": "array" }, @@ -16201,11 +16172,11 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplateList", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec": { + "io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec": { "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", "properties": { "metadata": { @@ -16213,7 +16184,7 @@ "description": "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation." }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here." } }, @@ -16222,7 +16193,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourcePool": { + "io.k8s.api.resource.v1beta1.ResourcePool": { "description": "ResourcePool describes the pool that ResourceSlices belong to.", "properties": { "generation": { @@ -16247,7 +16218,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceSlice": { + "io.k8s.api.resource.v1beta1.ResourceSlice": { "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16266,7 +16237,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec", "description": "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number." } }, @@ -16278,11 +16249,11 @@ { "group": "resource.k8s.io", "kind": "ResourceSlice", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceSliceList": { + "io.k8s.api.resource.v1beta1.ResourceSliceList": { "description": "ResourceSliceList is a collection of ResourceSlices.", "properties": { "apiVersion": { @@ -16292,7 +16263,7 @@ "items": { "description": "Items is the list of resource ResourceSlices.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSlice" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice" }, "type": "array" }, @@ -16316,11 +16287,11 @@ { "group": "resource.k8s.io", "kind": "ResourceSliceList", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceSliceSpec": { + "io.k8s.api.resource.v1beta1.ResourceSliceSpec": { "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", "properties": { "allNodes": { @@ -16330,7 +16301,7 @@ "devices": { "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.Device" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.Device" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -16348,7 +16319,7 @@ "description": "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set." }, "pool": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourcePool", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourcePool", "description": "Pool describes the pool that this ResourceSlice belongs to." } }, @@ -18698,6 +18669,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", @@ -19448,6 +19424,11 @@ "kind": "WatchEvent", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "WatchEvent", diff --git a/master-local/all.json b/master-local/all.json index 7479d816261e4a8a88236c2a3aa5f261f633173a..cd8edfc51f4517d4bd8d8e6b3ef7ce87ec9ce19d 100644 --- a/master-local/all.json +++ b/master-local/all.json @@ -79,10 +79,10 @@ "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1.WebhookClientConfig" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.JSONPatch" }, { "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" @@ -91,40 +91,34 @@ "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.TypeChecking" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingList" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingList" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyList" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyList" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Mutation" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Validation" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef" }, { "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" @@ -318,12 +312,6 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1.UserInfo" }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReview" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus" - }, { "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1beta1.SelfSubjectReview" }, @@ -537,15 +525,6 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestStatus" }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleList" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec" - }, { "$ref": "_definitions.json#/definitions/io.k8s.api.coordination.v1.Lease" }, @@ -1296,75 +1275,6 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.UserSubject" }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaList" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.GroupSubject" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationList" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.UserSubject" - }, { "$ref": "_definitions.json#/definitions/io.k8s.api.networking.v1.HTTPIngressPath" }, @@ -1620,6 +1530,99 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec" }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.AllocationResult" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.BasicDevice" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.Device" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClass" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassList" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimList" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateList" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourcePool" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceList" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec" + }, { "$ref": "_definitions.json#/definitions/io.k8s.api.scheduling.v1.PriorityClass" }, diff --git a/master-local/allocationresult-resource-v1beta1.json b/master-local/allocationresult-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..629edb5a8a00b26ddd389d4e806b70edcd48f364 --- /dev/null +++ b/master-local/allocationresult-resource-v1beta1.json @@ -0,0 +1,15 @@ +{ + "description": "AllocationResult contains attributes of an allocated resource.", + "properties": { + "devices": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult", + "description": "Devices is the result of allocating devices." + }, + "nodeSelector": { + "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.NodeSelector", + "description": "NodeSelector defines where the allocated resources are available. If unset, they are available everywhere." + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/allocationresult.json b/master-local/allocationresult.json index 2857182a34b9eaf5550a4c23cc43b00707d9f257..629edb5a8a00b26ddd389d4e806b70edcd48f364 100644 --- a/master-local/allocationresult.json +++ b/master-local/allocationresult.json @@ -2,7 +2,7 @@ "description": "AllocationResult contains attributes of an allocated resource.", "properties": { "devices": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationResult", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult", "description": "Devices is the result of allocating devices." }, "nodeSelector": { diff --git a/master-local/applyconfiguration-admissionregistration-v1alpha1.json b/master-local/applyconfiguration-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..e0c6042828baab111248e45cb145a26ecd361b55 --- /dev/null +++ b/master-local/applyconfiguration-admissionregistration-v1alpha1.json @@ -0,0 +1,14 @@ +{ + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/applyconfiguration.json b/master-local/applyconfiguration.json new file mode 100644 index 0000000000000000000000000000000000000000..e0c6042828baab111248e45cb145a26ecd361b55 --- /dev/null +++ b/master-local/applyconfiguration.json @@ -0,0 +1,14 @@ +{ + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/auditannotation-admissionregistration-v1alpha1.json b/master-local/auditannotation-admissionregistration-v1alpha1.json deleted file mode 100644 index a6d3ffb05ea62d6d3dc68565b78d718f67fb77ac..0000000000000000000000000000000000000000 --- a/master-local/auditannotation-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": [ - "string", - "null" - ] - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "key", - "valueExpression" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/basicdevice-resource-v1beta1.json b/master-local/basicdevice-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..960c1dfcc5856ad147e99e45143503ae9d645111 --- /dev/null +++ b/master-local/basicdevice-resource-v1beta1.json @@ -0,0 +1,27 @@ +{ + "description": "BasicDevice defines one device instance.", + "properties": { + "attributes": { + "additionalProperties": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute" + }, + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + }, + "capacity": { + "additionalProperties": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity" + }, + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/basicdevice.json b/master-local/basicdevice.json index f68c1f2188ab022f0384768b1cd5f84558b4e2eb..960c1dfcc5856ad147e99e45143503ae9d645111 100644 --- a/master-local/basicdevice.json +++ b/master-local/basicdevice.json @@ -3,7 +3,7 @@ "properties": { "attributes": { "additionalProperties": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceAttribute" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute" }, "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": [ @@ -13,7 +13,7 @@ }, "capacity": { "additionalProperties": { - "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity" }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": [ diff --git a/master-local/celdeviceselector-resource-v1beta1.json b/master-local/celdeviceselector-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..b63da15344f67f3be1538b3844af870028bb3d2b --- /dev/null +++ b/master-local/celdeviceselector-resource-v1beta1.json @@ -0,0 +1,17 @@ +{ + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "expression" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/clustertrustbundle-certificates-v1alpha1.json b/master-local/clustertrustbundle-certificates-v1alpha1.json deleted file mode 100644 index e8b7815533986111128e4f5b4fde5fd2bd781d93..0000000000000000000000000000000000000000 --- a/master-local/clustertrustbundle-certificates-v1alpha1.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "certificates.k8s.io/v1alpha1" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "metadata contains the object metadata." - }, - "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec", - "description": "spec contains the signer (if any) and trust anchors." - } - }, - "required": [ - "spec" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/clustertrustbundle.json b/master-local/clustertrustbundle.json deleted file mode 100644 index 4cb710edf6fd93b0e514316938e8a289156bea7b..0000000000000000000000000000000000000000 --- a/master-local/clustertrustbundle.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "metadata contains the object metadata." - }, - "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec", - "description": "spec contains the signer (if any) and trust anchors." - } - }, - "required": [ - "spec" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/clustertrustbundlespec-certificates-v1alpha1.json b/master-local/clustertrustbundlespec-certificates-v1alpha1.json deleted file mode 100644 index 22831e1f32c81ea493f1c9fed529a7fa18df2050..0000000000000000000000000000000000000000 --- a/master-local/clustertrustbundlespec-certificates-v1alpha1.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "trustBundle" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/clustertrustbundlespec.json b/master-local/clustertrustbundlespec.json deleted file mode 100644 index 22831e1f32c81ea493f1c9fed529a7fa18df2050..0000000000000000000000000000000000000000 --- a/master-local/clustertrustbundlespec.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "trustBundle" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/csipersistentvolumesource-v1.json b/master-local/csipersistentvolumesource-v1.json index e2bb253a2f6fe3c4135bd3500b76909b4fe4c6a5..4d104fe156d07719ae1951792e8f7de8e3614678 100644 --- a/master-local/csipersistentvolumesource-v1.json +++ b/master-local/csipersistentvolumesource-v1.json @@ -1,5 +1,5 @@ { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.SecretReference", diff --git a/master-local/csipersistentvolumesource.json b/master-local/csipersistentvolumesource.json index e2bb253a2f6fe3c4135bd3500b76909b4fe4c6a5..4d104fe156d07719ae1951792e8f7de8e3614678 100644 --- a/master-local/csipersistentvolumesource.json +++ b/master-local/csipersistentvolumesource.json @@ -1,5 +1,5 @@ { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.SecretReference", diff --git a/master-local/deleteoptions-meta-v1.json b/master-local/deleteoptions-meta-v1.json index 0c42daf0ac0c6e62eec2ced09a28c07e653bcaee..86857e45508cfb11361bba6af61cbaccc0dddf05 100644 --- a/master-local/deleteoptions-meta-v1.json +++ b/master-local/deleteoptions-meta-v1.json @@ -61,6 +61,7 @@ "rbac.authorization.k8s.io/v1alpha1", "rbac.authorization.k8s.io/v1beta1", "resource.k8s.io/v1alpha3", + "resource.k8s.io/v1beta1", "scheduling.k8s.io/v1", "scheduling.k8s.io/v1alpha1", "scheduling.k8s.io/v1beta1", @@ -388,6 +389,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", diff --git a/master-local/deleteoptions.json b/master-local/deleteoptions.json index a40fcb2923654c7c71388a47aeb13239f67fe92e..f2707bd84c9b5e3000185aa95a6a9bffc67f343d 100644 --- a/master-local/deleteoptions.json +++ b/master-local/deleteoptions.json @@ -326,6 +326,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", diff --git a/master-local/device-resource-v1beta1.json b/master-local/device-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..685ebecff02d0d0ac15a8262255cca079f3d23f1 --- /dev/null +++ b/master-local/device-resource-v1beta1.json @@ -0,0 +1,21 @@ +{ + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", + "properties": { + "basic": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.BasicDevice", + "description": "Basic defines one device instance." + }, + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "name" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/device.json b/master-local/device.json index dbea83b2e0749a84eaab291ed79abb409aa3260d..685ebecff02d0d0ac15a8262255cca079f3d23f1 100644 --- a/master-local/device.json +++ b/master-local/device.json @@ -2,7 +2,7 @@ "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", "properties": { "basic": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.BasicDevice", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.BasicDevice", "description": "Basic defines one device instance." }, "name": { diff --git a/master-local/deviceallocationconfiguration-resource-v1beta1.json b/master-local/deviceallocationconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..00c39cfc067d9f408a0e27317b7355be55b17967 --- /dev/null +++ b/master-local/deviceallocationconfiguration-resource-v1beta1.json @@ -0,0 +1,35 @@ +{ + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "source" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/deviceallocationconfiguration.json b/master-local/deviceallocationconfiguration.json index 52561133ea74b1651f498c3d2dc07030d3e49d8a..00c39cfc067d9f408a0e27317b7355be55b17967 100644 --- a/master-local/deviceallocationconfiguration.json +++ b/master-local/deviceallocationconfiguration.json @@ -2,7 +2,7 @@ "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", "properties": { "opaque": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." }, "requests": { diff --git a/master-local/deviceallocationresult-resource-v1beta1.json b/master-local/deviceallocationresult-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..8f324b6af8dfb1e9327fd8e08d3ffdab66346ad9 --- /dev/null +++ b/master-local/deviceallocationresult-resource-v1beta1.json @@ -0,0 +1,29 @@ +{ + "description": "DeviceAllocationResult is the result of allocating devices.", + "properties": { + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results lists all allocated devices.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/deviceallocationresult.json b/master-local/deviceallocationresult.json index a25cdfec4b47018e2410f848b0a6d36adae428ee..8f324b6af8dfb1e9327fd8e08d3ffdab66346ad9 100644 --- a/master-local/deviceallocationresult.json +++ b/master-local/deviceallocationresult.json @@ -4,7 +4,7 @@ "config": { "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration" }, "type": [ "array", @@ -15,7 +15,7 @@ "results": { "description": "Results lists all allocated devices.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult" }, "type": [ "array", diff --git a/master-local/deviceattribute-resource-v1beta1.json b/master-local/deviceattribute-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..4ad000a165e9001a20e6cac6594729d56207f765 --- /dev/null +++ b/master-local/deviceattribute-resource-v1beta1.json @@ -0,0 +1,36 @@ +{ + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/devicecapacity-resource-v1beta1.json b/master-local/devicecapacity-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..e5f2466ca0eeb06e37affc6968dca8c111a2caf6 --- /dev/null +++ b/master-local/devicecapacity-resource-v1beta1.json @@ -0,0 +1,14 @@ +{ + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity", + "description": "Value defines how much of a certain device capacity is available." + } + }, + "required": [ + "value" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/devicecapacity.json b/master-local/devicecapacity.json new file mode 100644 index 0000000000000000000000000000000000000000..e5f2466ca0eeb06e37affc6968dca8c111a2caf6 --- /dev/null +++ b/master-local/devicecapacity.json @@ -0,0 +1,14 @@ +{ + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity", + "description": "Value defines how much of a certain device capacity is available." + } + }, + "required": [ + "value" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/deviceclaim-resource-v1beta1.json b/master-local/deviceclaim-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..effe18a77c39ff06d77207296d9851b056639900 --- /dev/null +++ b/master-local/deviceclaim-resource-v1beta1.json @@ -0,0 +1,40 @@ +{ + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/deviceclaim.json b/master-local/deviceclaim.json index d7806bf50f70eaa0a45133066176c259525e2005..effe18a77c39ff06d77207296d9851b056639900 100644 --- a/master-local/deviceclaim.json +++ b/master-local/deviceclaim.json @@ -4,7 +4,7 @@ "config": { "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration" }, "type": [ "array", @@ -15,7 +15,7 @@ "constraints": { "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceConstraint" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint" }, "type": [ "array", @@ -26,7 +26,7 @@ "requests": { "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequest" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest" }, "type": [ "array", diff --git a/master-local/deviceclaimconfiguration-resource-v1beta1.json b/master-local/deviceclaimconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..38762c9093209159791363312c2d064b75973b0d --- /dev/null +++ b/master-local/deviceclaimconfiguration-resource-v1beta1.json @@ -0,0 +1,25 @@ +{ + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/deviceclaimconfiguration.json b/master-local/deviceclaimconfiguration.json index 4cb86735415e757c44bad590fc187b6793765823..38762c9093209159791363312c2d064b75973b0d 100644 --- a/master-local/deviceclaimconfiguration.json +++ b/master-local/deviceclaimconfiguration.json @@ -2,7 +2,7 @@ "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", "properties": { "opaque": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." }, "requests": { diff --git a/master-local/selfsubjectreview-authentication-v1alpha1.json b/master-local/deviceclass-resource-v1beta1.json similarity index 52% rename from master-local/selfsubjectreview-authentication-v1alpha1.json rename to master-local/deviceclass-resource-v1beta1.json index caf99e625739b262d005ecefc97f064a0749ab86..6498f7d28c1b81ec28b609e40607830179faf715 100644 --- a/master-local/selfsubjectreview-authentication-v1alpha1.json +++ b/master-local/deviceclass-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", + "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,7 +8,7 @@ "null" ], "enum": [ - "authentication.k8s.io/v1alpha1" + "resource.k8s.io/v1beta1" ] }, "kind": { @@ -18,24 +18,27 @@ "null" ], "enum": [ - "SelfSubjectReview" + "DeviceClass" ] }, "metadata": { "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object metadata" }, - "status": { - "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus", - "description": "Status is filled in by the server with the user attributes." + "spec": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec", + "description": "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number." } }, + "required": [ + "spec" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "authentication.k8s.io", - "kind": "SelfSubjectReview", - "version": "v1alpha1" + "group": "resource.k8s.io", + "kind": "DeviceClass", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/deviceclass.json b/master-local/deviceclass.json index 1fa747135e37481a18a18932122f2f4a5347ff28..7da325089103e4692ff561f44b9547c6d2277a96 100644 --- a/master-local/deviceclass.json +++ b/master-local/deviceclass.json @@ -23,7 +23,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassSpec", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec", "description": "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number." } }, @@ -35,7 +35,7 @@ { "group": "resource.k8s.io", "kind": "DeviceClass", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/deviceclassconfiguration-resource-v1beta1.json b/master-local/deviceclassconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..4115d0f806ffb8b233b181489c04745def50fd7f --- /dev/null +++ b/master-local/deviceclassconfiguration-resource-v1beta1.json @@ -0,0 +1,11 @@ +{ + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/deviceclassconfiguration.json b/master-local/deviceclassconfiguration.json index d71a4849f20c8390271b82ee3b3831f829d7c851..4115d0f806ffb8b233b181489c04745def50fd7f 100644 --- a/master-local/deviceclassconfiguration.json +++ b/master-local/deviceclassconfiguration.json @@ -2,7 +2,7 @@ "description": "DeviceClassConfiguration is used in DeviceClass.", "properties": { "opaque": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." } }, diff --git a/master-local/clustertrustbundlelist.json b/master-local/deviceclasslist-resource-v1beta1.json similarity index 72% rename from master-local/clustertrustbundlelist.json rename to master-local/deviceclasslist-resource-v1beta1.json index b127c8514ade6e7d83850f1bb7b205a1f42c04c1..030bcc50ec0840de985744f4aa1eb465f4c591c4 100644 --- a/master-local/clustertrustbundlelist.json +++ b/master-local/deviceclasslist-resource-v1beta1.json @@ -1,17 +1,20 @@ { - "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects", + "description": "DeviceClassList is a collection of classes.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" ] }, "items": { - "description": "items is a collection of ClusterTrustBundle objects", + "description": "Items is the list of resource classes.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClass" }, "type": [ "array", @@ -25,12 +28,12 @@ "null" ], "enum": [ - "ClusterTrustBundleList" + "DeviceClassList" ] }, "metadata": { "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "metadata contains the list metadata." + "description": "Standard list metadata" } }, "required": [ @@ -39,9 +42,9 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundleList", - "version": "v1alpha1" + "group": "resource.k8s.io", + "kind": "DeviceClassList", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/deviceclasslist.json b/master-local/deviceclasslist.json index 76220057c473d1dedb8c1bcc1bac4e296678c055..05e232f906a784d5646fbf09707d2caf1824a6f7 100644 --- a/master-local/deviceclasslist.json +++ b/master-local/deviceclasslist.json @@ -11,7 +11,7 @@ "items": { "description": "Items is the list of resource classes.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceClass" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClass" }, "type": [ "array", @@ -41,7 +41,7 @@ { "group": "resource.k8s.io", "kind": "DeviceClassList", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/deviceclassspec-resource-v1beta1.json b/master-local/deviceclassspec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..e07c8a42273cf4ce2b5eee915e1d8b856b5bcb25 --- /dev/null +++ b/master-local/deviceclassspec-resource-v1beta1.json @@ -0,0 +1,29 @@ +{ + "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", + "properties": { + "config": { + "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "selectors": { + "description": "Each selector must be satisfied by a device which is claimed via this class.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/deviceclassspec.json b/master-local/deviceclassspec.json index fb2aabf1eb153f8c7b7a04d6754a3115aaf8891a..e07c8a42273cf4ce2b5eee915e1d8b856b5bcb25 100644 --- a/master-local/deviceclassspec.json +++ b/master-local/deviceclassspec.json @@ -4,7 +4,7 @@ "config": { "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassConfiguration" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration" }, "type": [ "array", @@ -15,7 +15,7 @@ "selectors": { "description": "Each selector must be satisfied by a device which is claimed via this class.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" }, "type": [ "array", diff --git a/master-local/deviceconstraint-resource-v1beta1.json b/master-local/deviceconstraint-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..e3879d2e719c84058823b89f38910ee3b08c1216 --- /dev/null +++ b/master-local/deviceconstraint-resource-v1beta1.json @@ -0,0 +1,28 @@ +{ + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/devicerequest-resource-v1beta1.json b/master-local/devicerequest-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..42e0e220996fc6eaefde8e667cb1adb4f24a6dd8 --- /dev/null +++ b/master-local/devicerequest-resource-v1beta1.json @@ -0,0 +1,58 @@ +{ + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": [ + "string", + "null" + ] + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/devicerequest.json b/master-local/devicerequest.json index dcf6c0b5bd5be38ac872b1b3c1b599b0ada8f2b9..42e0e220996fc6eaefde8e667cb1adb4f24a6dd8 100644 --- a/master-local/devicerequest.json +++ b/master-local/devicerequest.json @@ -40,7 +40,7 @@ "selectors": { "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" }, "type": [ "array", diff --git a/master-local/devicerequestallocationresult-resource-v1beta1.json b/master-local/devicerequestallocationresult-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..ca4bcaefa2c9456976d8bf9ae0897e39c5c7b162 --- /dev/null +++ b/master-local/devicerequestallocationresult-resource-v1beta1.json @@ -0,0 +1,48 @@ +{ + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": [ + "string", + "null" + ] + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": [ + "string", + "null" + ] + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": [ + "string", + "null" + ] + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/deviceselector-resource-v1beta1.json b/master-local/deviceselector-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..83ff57b9ef1a9f944a85b5342b8d0fef6d7cb5eb --- /dev/null +++ b/master-local/deviceselector-resource-v1beta1.json @@ -0,0 +1,11 @@ +{ + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector", + "description": "CEL contains a CEL expression for selecting a device." + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/deviceselector.json b/master-local/deviceselector.json index b936f150978ee78961fc4ed3c1c426bb1b374b62..83ff57b9ef1a9f944a85b5342b8d0fef6d7cb5eb 100644 --- a/master-local/deviceselector.json +++ b/master-local/deviceselector.json @@ -2,7 +2,7 @@ "description": "DeviceSelector must have exactly one field set.", "properties": { "cel": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.CELDeviceSelector", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector", "description": "CEL contains a CEL expression for selecting a device." } }, diff --git a/master-local/exemptprioritylevelconfiguration-flowcontrol-v1beta3.json b/master-local/exemptprioritylevelconfiguration-flowcontrol-v1beta3.json deleted file mode 100644 index 81bb3cf58b7ca02bfdc6c87be349a9b13447dae4..0000000000000000000000000000000000000000 --- a/master-local/exemptprioritylevelconfiguration-flowcontrol-v1beta3.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", - "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/expressionwarning-admissionregistration-v1alpha1.json b/master-local/expressionwarning-admissionregistration-v1alpha1.json deleted file mode 100644 index 664f5a5f3e35b2f7ed032d25efed3aa49ef48f18..0000000000000000000000000000000000000000 --- a/master-local/expressionwarning-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "ExpressionWarning is a warning information that targets a specific expression.", - "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": [ - "string", - "null" - ] - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "fieldRef", - "warning" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/flowdistinguishermethod-flowcontrol-v1beta3.json b/master-local/flowdistinguishermethod-flowcontrol-v1beta3.json deleted file mode 100644 index dc443d094426da52a85528f20f79fd84ca9b683b..0000000000000000000000000000000000000000 --- a/master-local/flowdistinguishermethod-flowcontrol-v1beta3.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", - "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "type" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/flowschema-flowcontrol-v1beta3.json b/master-local/flowschema-flowcontrol-v1beta3.json deleted file mode 100644 index 31de88ffc656b9a4f6ae2227ddc6aa109b89a743..0000000000000000000000000000000000000000 --- a/master-local/flowschema-flowcontrol-v1beta3.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "description": "FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "FlowSchema" - ] - }, - "metadata": { - "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec", - "description": "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - }, - "status": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus", - "description": "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - } - }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchema", - "version": "v1beta3" - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/flowschema.json b/master-local/flowschema.json index b6e1fac5f7340330c747dc7d0987d5d057881765..584a70cde6d3dda74910313ea9761418d8a08e4d 100644 --- a/master-local/flowschema.json +++ b/master-local/flowschema.json @@ -23,11 +23,11 @@ "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec", + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaSpec", "description": "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" }, "status": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus", + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaStatus", "description": "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, @@ -36,7 +36,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "FlowSchema", - "version": "v1beta3" + "version": "v1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/flowschemacondition-flowcontrol-v1beta3.json b/master-local/flowschemacondition-flowcontrol-v1beta3.json deleted file mode 100644 index a60a8fa90f54fb761915c880cc79e5430108278b..0000000000000000000000000000000000000000 --- a/master-local/flowschemacondition-flowcontrol-v1beta3.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", - "properties": { - "lastTransitionTime": { - "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", - "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/flowschemalist.json b/master-local/flowschemalist.json index cb751523a1d41a4002d816b900e5a8f3f65b40b2..7bc0e46fced797f734408c75a58a1d7285d52d79 100644 --- a/master-local/flowschemalist.json +++ b/master-local/flowschemalist.json @@ -11,7 +11,7 @@ "items": { "description": "`items` is a list of FlowSchemas.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema" + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema" }, "type": [ "array", @@ -41,7 +41,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "FlowSchemaList", - "version": "v1beta3" + "version": "v1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/flowschemaspec-flowcontrol-v1beta3.json b/master-local/flowschemaspec-flowcontrol-v1beta3.json deleted file mode 100644 index 35903976a59a104de789a7ab10878deed9ffdf84..0000000000000000000000000000000000000000 --- a/master-local/flowschemaspec-flowcontrol-v1beta3.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", - "properties": { - "distinguisherMethod": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod", - "description": "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string." - }, - "matchingPrecedence": { - "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "priorityLevelConfiguration": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference", - "description": "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required." - }, - "rules": { - "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "priorityLevelConfiguration" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/flowschemaspec.json b/master-local/flowschemaspec.json index 35903976a59a104de789a7ab10878deed9ffdf84..ba5694043fbfe6fd58a4df43cff67ad8a7bef688 100644 --- a/master-local/flowschemaspec.json +++ b/master-local/flowschemaspec.json @@ -2,7 +2,7 @@ "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", "properties": { "distinguisherMethod": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod", + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.FlowDistinguisherMethod", "description": "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string." }, "matchingPrecedence": { @@ -14,13 +14,13 @@ ] }, "priorityLevelConfiguration": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference", + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationReference", "description": "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required." }, "rules": { "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects" + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.PolicyRulesWithSubjects" }, "type": [ "array", diff --git a/master-local/flowschemastatus-flowcontrol-v1beta3.json b/master-local/flowschemastatus-flowcontrol-v1beta3.json deleted file mode 100644 index 67adcf290c37ddca2d99a27f63c7f27e671004f2..0000000000000000000000000000000000000000 --- a/master-local/flowschemastatus-flowcontrol-v1beta3.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "description": "FlowSchemaStatus represents the current state of a FlowSchema.", - "properties": { - "conditions": { - "description": "`conditions` is a list of the current states of FlowSchema.", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/flowschemastatus.json b/master-local/flowschemastatus.json index 67adcf290c37ddca2d99a27f63c7f27e671004f2..c78c699fa7807bb79e59d9d2653ddb73bb618543 100644 --- a/master-local/flowschemastatus.json +++ b/master-local/flowschemastatus.json @@ -4,7 +4,7 @@ "conditions": { "description": "`conditions` is a list of the current states of FlowSchema.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition" + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaCondition" }, "type": [ "array", diff --git a/master-local/groupsubject-flowcontrol-v1beta3.json b/master-local/groupsubject-flowcontrol-v1beta3.json deleted file mode 100644 index 421ca76742afe3dfcb7f5d27e52250cc2fbc7e5c..0000000000000000000000000000000000000000 --- a/master-local/groupsubject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "GroupSubject holds detailed information for group-kind subject.", - "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "name" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/jsonpatch-admissionregistration-v1alpha1.json b/master-local/jsonpatch-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..dbb808eff66aba537fc80dd4d4348517aabc83e0 --- /dev/null +++ b/master-local/jsonpatch-admissionregistration-v1alpha1.json @@ -0,0 +1,14 @@ +{ + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/jsonpatch.json b/master-local/jsonpatch.json new file mode 100644 index 0000000000000000000000000000000000000000..dbb808eff66aba537fc80dd4d4348517aabc83e0 --- /dev/null +++ b/master-local/jsonpatch.json @@ -0,0 +1,14 @@ +{ + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/limitedprioritylevelconfiguration-flowcontrol-v1beta3.json b/master-local/limitedprioritylevelconfiguration-flowcontrol-v1beta3.json deleted file mode 100644 index 586cde53e030452c87853aa308fc7826ebaf5044..0000000000000000000000000000000000000000 --- a/master-local/limitedprioritylevelconfiguration-flowcontrol-v1beta3.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", - "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "limitResponse": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse", - "description": "`limitResponse` indicates what to do with requests that can not be executed right now" - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/limitedprioritylevelconfiguration.json b/master-local/limitedprioritylevelconfiguration.json index 586cde53e030452c87853aa308fc7826ebaf5044..8581dade2dbb18cf1840f01074ba97878506a76e 100644 --- a/master-local/limitedprioritylevelconfiguration.json +++ b/master-local/limitedprioritylevelconfiguration.json @@ -18,11 +18,11 @@ ] }, "limitResponse": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse", + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.LimitResponse", "description": "`limitResponse` indicates what to do with requests that can not be executed right now" }, "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", + "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)", "format": "int32", "type": [ "integer", diff --git a/master-local/limitresponse-flowcontrol-v1beta3.json b/master-local/limitresponse-flowcontrol-v1beta3.json deleted file mode 100644 index fce0869bb46bc8f1a64debf960f637f7ace2f22a..0000000000000000000000000000000000000000 --- a/master-local/limitresponse-flowcontrol-v1beta3.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "description": "LimitResponse defines how to handle requests that can not be executed right now.", - "properties": { - "queuing": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration", - "description": "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`." - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "type" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/limitresponse.json b/master-local/limitresponse.json index fce0869bb46bc8f1a64debf960f637f7ace2f22a..58ab15d6524fa2d12dcc38eaf8612aadace7753c 100644 --- a/master-local/limitresponse.json +++ b/master-local/limitresponse.json @@ -2,7 +2,7 @@ "description": "LimitResponse defines how to handle requests that can not be executed right now.", "properties": { "queuing": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration", + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.QueuingConfiguration", "description": "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`." }, "type": { diff --git a/master-local/localvolumesource-v1.json b/master-local/localvolumesource-v1.json index 7594a898ed0c6528c8eeac8508656cc060d229fa..49b86b0719c9f771c75abf57dfc1d2c054a2ea2b 100644 --- a/master-local/localvolumesource-v1.json +++ b/master-local/localvolumesource-v1.json @@ -1,5 +1,5 @@ { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-local/localvolumesource.json b/master-local/localvolumesource.json index 7594a898ed0c6528c8eeac8508656cc060d229fa..49b86b0719c9f771c75abf57dfc1d2c054a2ea2b 100644 --- a/master-local/localvolumesource.json +++ b/master-local/localvolumesource.json @@ -1,5 +1,5 @@ { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-local/metricspec-autoscaling-v2.json b/master-local/metricspec-autoscaling-v2.json index 62d43b7963400dcff1dd5f4136c2778edcad4bd4..e3fdbdfb013f884bc95b475aa305b26144e329ff 100644 --- a/master-local/metricspec-autoscaling-v2.json +++ b/master-local/metricspec-autoscaling-v2.json @@ -3,7 +3,7 @@ "properties": { "containerResource": { "$ref": "_definitions.json#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricSource", - "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag." + "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "external": { "$ref": "_definitions.json#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricSource", @@ -22,7 +22,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": [ "string", "null" diff --git a/master-local/metricspec.json b/master-local/metricspec.json index 62d43b7963400dcff1dd5f4136c2778edcad4bd4..e3fdbdfb013f884bc95b475aa305b26144e329ff 100644 --- a/master-local/metricspec.json +++ b/master-local/metricspec.json @@ -3,7 +3,7 @@ "properties": { "containerResource": { "$ref": "_definitions.json#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricSource", - "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag." + "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "external": { "$ref": "_definitions.json#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricSource", @@ -22,7 +22,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": [ "string", "null" diff --git a/master-local/metricstatus-autoscaling-v2.json b/master-local/metricstatus-autoscaling-v2.json index 123f585d13cd7116751131cfc7f34aec1557d1ca..a35e4e315257aede9109edaca5728a4bae89a2cd 100644 --- a/master-local/metricstatus-autoscaling-v2.json +++ b/master-local/metricstatus-autoscaling-v2.json @@ -22,7 +22,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": [ "string", "null" diff --git a/master-local/metricstatus.json b/master-local/metricstatus.json index 123f585d13cd7116751131cfc7f34aec1557d1ca..a35e4e315257aede9109edaca5728a4bae89a2cd 100644 --- a/master-local/metricstatus.json +++ b/master-local/metricstatus.json @@ -22,7 +22,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": [ "string", "null" diff --git a/master-local/validatingadmissionpolicy-admissionregistration-v1alpha1.json b/master-local/mutatingadmissionpolicy-admissionregistration-v1alpha1.json similarity index 69% rename from master-local/validatingadmissionpolicy-admissionregistration-v1alpha1.json rename to master-local/mutatingadmissionpolicy-admissionregistration-v1alpha1.json index 773d3f0d08b842b1412b9c7675c8f293e9e78ebc..26325d1e9affbf864f14bea64fea40499112a321 100644 --- a/master-local/validatingadmissionpolicy-admissionregistration-v1alpha1.json +++ b/master-local/mutatingadmissionpolicy-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.", + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -18,7 +18,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicy" + "MutatingAdmissionPolicy" ] }, "metadata": { @@ -26,19 +26,15 @@ "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec", - "description": "Specification of the desired behavior of the ValidatingAdmissionPolicy." - }, - "status": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus", - "description": "The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only." + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicy." } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicy", + "kind": "MutatingAdmissionPolicy", "version": "v1alpha1" } ], diff --git a/master-local/mutatingadmissionpolicy.json b/master-local/mutatingadmissionpolicy.json new file mode 100644 index 0000000000000000000000000000000000000000..f697ccdf59df575d1f697956a801c4fc61faee9b --- /dev/null +++ b/master-local/mutatingadmissionpolicy.json @@ -0,0 +1,39 @@ +{ + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicy" + ] + }, + "metadata": { + "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." + }, + "spec": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicy." + } + }, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicy", + "version": "v1alpha1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/validatingadmissionpolicybinding-admissionregistration-v1alpha1.json b/master-local/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json similarity index 61% rename from master-local/validatingadmissionpolicybinding-admissionregistration-v1alpha1.json rename to master-local/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json index 4a4b83b27e45429869bca49098fe1c16fc4e9c85..1965f49ed29b8992ded92c2fa932d27485750066 100644 --- a/master-local/validatingadmissionpolicybinding-admissionregistration-v1alpha1.json +++ b/master-local/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -18,7 +18,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyBinding" + "MutatingAdmissionPolicyBinding" ] }, "metadata": { @@ -26,15 +26,15 @@ "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec", - "description": "Specification of the desired behavior of the ValidatingAdmissionPolicyBinding." + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicyBinding." } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBinding", + "kind": "MutatingAdmissionPolicyBinding", "version": "v1alpha1" } ], diff --git a/master-local/mutatingadmissionpolicybinding.json b/master-local/mutatingadmissionpolicybinding.json new file mode 100644 index 0000000000000000000000000000000000000000..3375ed4983ec42c1bcba67676abd793a8e1f09a4 --- /dev/null +++ b/master-local/mutatingadmissionpolicybinding.json @@ -0,0 +1,39 @@ +{ + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyBinding" + ] + }, + "metadata": { + "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." + }, + "spec": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicyBinding." + } + }, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyBinding", + "version": "v1alpha1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/validatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json b/master-local/mutatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json similarity index 86% rename from master-local/validatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json rename to master-local/mutatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json index 18141e2cf21975387d670eeeed9c3960a7ca2f5f..0947bf74a36b8c12178266801348a3f5673722ee 100644 --- a/master-local/validatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json +++ b/master-local/mutatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.", + "description": "MutatingAdmissionPolicyBindingList is a list of MutatingAdmissionPolicyBinding.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14,7 +14,7 @@ "items": { "description": "List of PolicyBinding.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding" }, "type": [ "array", @@ -28,7 +28,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyBindingList" + "MutatingAdmissionPolicyBindingList" ] }, "metadata": { @@ -43,7 +43,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBindingList", + "kind": "MutatingAdmissionPolicyBindingList", "version": "v1alpha1" } ], diff --git a/master-local/mutatingadmissionpolicybindinglist.json b/master-local/mutatingadmissionpolicybindinglist.json new file mode 100644 index 0000000000000000000000000000000000000000..39634c1faaa347db03199724a5bd07375f98ca62 --- /dev/null +++ b/master-local/mutatingadmissionpolicybindinglist.json @@ -0,0 +1,48 @@ +{ + "description": "MutatingAdmissionPolicyBindingList is a list of MutatingAdmissionPolicyBinding.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "items": { + "description": "List of PolicyBinding.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding" + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyBindingList" + ] + }, + "metadata": { + "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyBindingList", + "version": "v1alpha1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/mutatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json b/master-local/mutatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..d7e512185da3cd9ee64648248b19adbd09551a8a --- /dev/null +++ b/master-local/mutatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json @@ -0,0 +1,22 @@ +{ + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", + "properties": { + "matchResources": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", + "description": "matchResources limits what resources match this binding and may be mutated by it. Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and matchConditions before the resource may be mutated. When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints and matchConditions must match for the resource to be mutated. Additionally, matchResources.resourceRules are optional and do not constraint matching when unset. Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT." + }, + "paramRef": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef", + "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." + }, + "policyName": { + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/mutatingadmissionpolicybindingspec.json b/master-local/mutatingadmissionpolicybindingspec.json new file mode 100644 index 0000000000000000000000000000000000000000..d7e512185da3cd9ee64648248b19adbd09551a8a --- /dev/null +++ b/master-local/mutatingadmissionpolicybindingspec.json @@ -0,0 +1,22 @@ +{ + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", + "properties": { + "matchResources": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", + "description": "matchResources limits what resources match this binding and may be mutated by it. Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and matchConditions before the resource may be mutated. When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints and matchConditions must match for the resource to be mutated. Additionally, matchResources.resourceRules are optional and do not constraint matching when unset. Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT." + }, + "paramRef": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef", + "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." + }, + "policyName": { + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/validatingadmissionpolicylist-admissionregistration-v1alpha1.json b/master-local/mutatingadmissionpolicylist-admissionregistration-v1alpha1.json similarity index 87% rename from master-local/validatingadmissionpolicylist-admissionregistration-v1alpha1.json rename to master-local/mutatingadmissionpolicylist-admissionregistration-v1alpha1.json index 0f8d6eeec755bb919f4d8467642341cc97d560f4..0eb2300bb322a61e15abcf53ce6218360236566b 100644 --- a/master-local/validatingadmissionpolicylist-admissionregistration-v1alpha1.json +++ b/master-local/mutatingadmissionpolicylist-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.", + "description": "MutatingAdmissionPolicyList is a list of MutatingAdmissionPolicy.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14,7 +14,7 @@ "items": { "description": "List of ValidatingAdmissionPolicy.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy" }, "type": [ "array", @@ -28,7 +28,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyList" + "MutatingAdmissionPolicyList" ] }, "metadata": { @@ -43,7 +43,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyList", + "kind": "MutatingAdmissionPolicyList", "version": "v1alpha1" } ], diff --git a/master-local/mutatingadmissionpolicylist.json b/master-local/mutatingadmissionpolicylist.json new file mode 100644 index 0000000000000000000000000000000000000000..b213d02f6b01d6925f5a1035cfcc538280fa728a --- /dev/null +++ b/master-local/mutatingadmissionpolicylist.json @@ -0,0 +1,48 @@ +{ + "description": "MutatingAdmissionPolicyList is a list of MutatingAdmissionPolicy.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "items": { + "description": "List of ValidatingAdmissionPolicy.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy" + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyList" + ] + }, + "metadata": { + "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyList", + "version": "v1alpha1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/mutatingadmissionpolicyspec-admissionregistration-v1alpha1.json b/master-local/mutatingadmissionpolicyspec-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..4e2a76c52a441924b4243ae9d4edc839eade0555 --- /dev/null +++ b/master-local/mutatingadmissionpolicyspec-admissionregistration-v1alpha1.json @@ -0,0 +1,67 @@ +{ + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", + "properties": { + "failurePolicy": { + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "type": [ + "string", + "null" + ] + }, + "matchConditions": { + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "matchConstraints": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", + "description": "matchConstraints specifies what resources this policy is designed to validate. The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT. Required." + }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Mutation" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "paramKind": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", + "description": "paramKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null." + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": [ + "string", + "null" + ] + }, + "variables": { + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/mutatingadmissionpolicyspec.json b/master-local/mutatingadmissionpolicyspec.json new file mode 100644 index 0000000000000000000000000000000000000000..4e2a76c52a441924b4243ae9d4edc839eade0555 --- /dev/null +++ b/master-local/mutatingadmissionpolicyspec.json @@ -0,0 +1,67 @@ +{ + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", + "properties": { + "failurePolicy": { + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "type": [ + "string", + "null" + ] + }, + "matchConditions": { + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "matchConstraints": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", + "description": "matchConstraints specifies what resources this policy is designed to validate. The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT. Required." + }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Mutation" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "paramKind": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", + "description": "paramKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null." + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": [ + "string", + "null" + ] + }, + "variables": { + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/mutation-admissionregistration-v1alpha1.json b/master-local/mutation-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..22ae30eb6f164b801786428ac286dd2ce22cad48 --- /dev/null +++ b/master-local/mutation-admissionregistration-v1alpha1.json @@ -0,0 +1,25 @@ +{ + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration", + "description": "applyConfiguration defines the desired configuration values of an object. The configuration is applied to the admission object using [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff). A CEL expression is used to create apply configuration." + }, + "jsonPatch": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.JSONPatch", + "description": "jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object. A CEL expression is used to create the JSON patch." + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "patchType" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/mutation.json b/master-local/mutation.json new file mode 100644 index 0000000000000000000000000000000000000000..22ae30eb6f164b801786428ac286dd2ce22cad48 --- /dev/null +++ b/master-local/mutation.json @@ -0,0 +1,25 @@ +{ + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration", + "description": "applyConfiguration defines the desired configuration values of an object. The configuration is applied to the admission object using [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff). A CEL expression is used to create apply configuration." + }, + "jsonPatch": { + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.JSONPatch", + "description": "jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object. A CEL expression is used to create the JSON patch." + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "patchType" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/nonresourcepolicyrule-flowcontrol-v1beta3.json b/master-local/nonresourcepolicyrule-flowcontrol-v1beta3.json deleted file mode 100644 index ca6d9120033411e377badab96c0a0ac965eb86cb..0000000000000000000000000000000000000000 --- a/master-local/nonresourcepolicyrule-flowcontrol-v1beta3.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", - "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "nonResourceURLs" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/opaquedeviceconfiguration-resource-v1alpha3.json b/master-local/opaquedeviceconfiguration-resource-v1alpha3.json index 703001e6a0fe680430b6352aa8634ec7302c4a5e..3c9faca42623cb940df5d0433774e22aa85aacae 100644 --- a/master-local/opaquedeviceconfiguration-resource-v1alpha3.json +++ b/master-local/opaquedeviceconfiguration-resource-v1alpha3.json @@ -10,7 +10,7 @@ }, "parameters": { "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", - "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions." + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." } }, "required": [ diff --git a/master-local/opaquedeviceconfiguration-resource-v1beta1.json b/master-local/opaquedeviceconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..3c9faca42623cb940df5d0433774e22aa85aacae --- /dev/null +++ b/master-local/opaquedeviceconfiguration-resource-v1beta1.json @@ -0,0 +1,22 @@ +{ + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": [ + "string", + "null" + ] + }, + "parameters": { + "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." + } + }, + "required": [ + "driver", + "parameters" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/opaquedeviceconfiguration.json b/master-local/opaquedeviceconfiguration.json index 703001e6a0fe680430b6352aa8634ec7302c4a5e..3c9faca42623cb940df5d0433774e22aa85aacae 100644 --- a/master-local/opaquedeviceconfiguration.json +++ b/master-local/opaquedeviceconfiguration.json @@ -10,7 +10,7 @@ }, "parameters": { "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", - "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions." + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." } }, "required": [ diff --git a/master-local/persistentvolumespec-v1.json b/master-local/persistentvolumespec-v1.json index a25fa3140bec1f4d53762f45bacc36d8c5f2e86d..752c46d19dad89c9b3c9aeceac605f0e027ecde5 100644 --- a/master-local/persistentvolumespec-v1.json +++ b/master-local/persistentvolumespec-v1.json @@ -17,15 +17,15 @@ }, "awsElasticBlockStore": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.AzureFilePersistentVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "capacity": { "additionalProperties": { @@ -39,11 +39,11 @@ }, "cephfs": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.CephFSPersistentVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.CinderPersistentVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "claimRef": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ObjectReference", @@ -52,7 +52,7 @@ }, "csi": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.CSIPersistentVolumeSource", - "description": "csi represents storage that is handled by an external CSI driver (Beta feature)." + "description": "csi represents storage that is handled by an external CSI driver." }, "fc": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.FCVolumeSource", @@ -60,19 +60,19 @@ }, "flexVolume": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.FlexPersistentVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "glusterfs": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.GlusterfsPersistentVolumeSource", - "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -117,23 +117,23 @@ }, "photonPersistentDisk": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "quobyte": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.RBDPersistentVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ScaleIOPersistentVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "storageClassName": { "description": "storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.", @@ -144,7 +144,7 @@ }, "storageos": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.StorageOSPersistentVolumeSource", - "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md" + "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. More info: https://examples.k8s.io/volumes/storageos/README.md" }, "volumeAttributesClassName": { "description": "Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process. This is a beta field and requires enabling VolumeAttributesClass feature (off by default).", @@ -162,7 +162,7 @@ }, "vsphereVolume": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "type": "object", diff --git a/master-local/persistentvolumespec.json b/master-local/persistentvolumespec.json index a25fa3140bec1f4d53762f45bacc36d8c5f2e86d..752c46d19dad89c9b3c9aeceac605f0e027ecde5 100644 --- a/master-local/persistentvolumespec.json +++ b/master-local/persistentvolumespec.json @@ -17,15 +17,15 @@ }, "awsElasticBlockStore": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.AzureFilePersistentVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "capacity": { "additionalProperties": { @@ -39,11 +39,11 @@ }, "cephfs": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.CephFSPersistentVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.CinderPersistentVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "claimRef": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ObjectReference", @@ -52,7 +52,7 @@ }, "csi": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.CSIPersistentVolumeSource", - "description": "csi represents storage that is handled by an external CSI driver (Beta feature)." + "description": "csi represents storage that is handled by an external CSI driver." }, "fc": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.FCVolumeSource", @@ -60,19 +60,19 @@ }, "flexVolume": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.FlexPersistentVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "glusterfs": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.GlusterfsPersistentVolumeSource", - "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -117,23 +117,23 @@ }, "photonPersistentDisk": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "quobyte": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.RBDPersistentVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ScaleIOPersistentVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "storageClassName": { "description": "storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.", @@ -144,7 +144,7 @@ }, "storageos": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.StorageOSPersistentVolumeSource", - "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md" + "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. More info: https://examples.k8s.io/volumes/storageos/README.md" }, "volumeAttributesClassName": { "description": "Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process. This is a beta field and requires enabling VolumeAttributesClass feature (off by default).", @@ -162,7 +162,7 @@ }, "vsphereVolume": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "type": "object", diff --git a/master-local/podstatus-v1.json b/master-local/podstatus-v1.json index aaa6bfe0117fe227ac9bb5ea054a66a0769e1582..5ba48a50441ccbfeed9edf30044aa90ee42ff7e7 100644 --- a/master-local/podstatus-v1.json +++ b/master-local/podstatus-v1.json @@ -18,7 +18,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -29,7 +29,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -60,7 +60,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, diff --git a/master-local/podstatus.json b/master-local/podstatus.json index aaa6bfe0117fe227ac9bb5ea054a66a0769e1582..5ba48a50441ccbfeed9edf30044aa90ee42ff7e7 100644 --- a/master-local/podstatus.json +++ b/master-local/podstatus.json @@ -18,7 +18,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -29,7 +29,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -60,7 +60,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, diff --git a/master-local/policyruleswithsubjects-flowcontrol-v1beta3.json b/master-local/policyruleswithsubjects-flowcontrol-v1beta3.json deleted file mode 100644 index 32ec59cb6a11e9657b1a2c74e234c18f54f2afd9..0000000000000000000000000000000000000000 --- a/master-local/policyruleswithsubjects-flowcontrol-v1beta3.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", - "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "subjects" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/policyruleswithsubjects.json b/master-local/policyruleswithsubjects.json index 32ec59cb6a11e9657b1a2c74e234c18f54f2afd9..a8255119aa6d3f430e3475a4d550f6566bc70362 100644 --- a/master-local/policyruleswithsubjects.json +++ b/master-local/policyruleswithsubjects.json @@ -4,7 +4,7 @@ "nonResourceRules": { "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule" + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.NonResourcePolicyRule" }, "type": [ "array", @@ -15,7 +15,7 @@ "resourceRules": { "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule" + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.ResourcePolicyRule" }, "type": [ "array", @@ -26,7 +26,7 @@ "subjects": { "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject" + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.Subject" }, "type": [ "array", diff --git a/master-local/prioritylevelconfiguration.json b/master-local/prioritylevelconfiguration.json index 06155d4afc58a7161bc14152c49ea7750a316a54..2f23b4bf25f1acec5abf49c425dcfb271ec09122 100644 --- a/master-local/prioritylevelconfiguration.json +++ b/master-local/prioritylevelconfiguration.json @@ -23,11 +23,11 @@ "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec", + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationSpec", "description": "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" }, "status": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus", + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationStatus", "description": "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, @@ -36,7 +36,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "PriorityLevelConfiguration", - "version": "v1beta3" + "version": "v1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/prioritylevelconfigurationcondition-flowcontrol-v1beta3.json b/master-local/prioritylevelconfigurationcondition-flowcontrol-v1beta3.json deleted file mode 100644 index f5d45ad2dc565776e8e7bfed9ca21b4ff7e709ed..0000000000000000000000000000000000000000 --- a/master-local/prioritylevelconfigurationcondition-flowcontrol-v1beta3.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", - "properties": { - "lastTransitionTime": { - "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", - "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/prioritylevelconfigurationlist-flowcontrol-v1beta3.json b/master-local/prioritylevelconfigurationlist-flowcontrol-v1beta3.json deleted file mode 100644 index e4d7df71d7122f6f15e6ff5ae3890f7fc106ca30..0000000000000000000000000000000000000000 --- a/master-local/prioritylevelconfigurationlist-flowcontrol-v1beta3.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "description": "PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" - ] - }, - "items": { - "description": "`items` is a list of request-priorities.", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration" - }, - "type": [ - "array", - "null" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "PriorityLevelConfigurationList" - ] - }, - "metadata": { - "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - } - }, - "required": [ - "items" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfigurationList", - "version": "v1beta3" - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/prioritylevelconfigurationlist.json b/master-local/prioritylevelconfigurationlist.json index 1dd2b97bd5364cf6fc36b67337ce66f76be03442..84e12220dc3f1e6509e5b6a836fb28be2dc6a12a 100644 --- a/master-local/prioritylevelconfigurationlist.json +++ b/master-local/prioritylevelconfigurationlist.json @@ -11,7 +11,7 @@ "items": { "description": "`items` is a list of request-priorities.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration" + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration" }, "type": [ "array", @@ -41,7 +41,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "PriorityLevelConfigurationList", - "version": "v1beta3" + "version": "v1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/prioritylevelconfigurationreference-flowcontrol-v1beta3.json b/master-local/prioritylevelconfigurationreference-flowcontrol-v1beta3.json deleted file mode 100644 index 009271c11f11a90f54a5a8e6b420cec6286da4d9..0000000000000000000000000000000000000000 --- a/master-local/prioritylevelconfigurationreference-flowcontrol-v1beta3.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", - "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "name" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/prioritylevelconfigurationspec-flowcontrol-v1beta3.json b/master-local/prioritylevelconfigurationspec-flowcontrol-v1beta3.json deleted file mode 100644 index a9dd65ce1aeadd41ae30f70e4a50a2e76d6373c6..0000000000000000000000000000000000000000 --- a/master-local/prioritylevelconfigurationspec-flowcontrol-v1beta3.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", - "properties": { - "exempt": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration", - "description": "`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply." - }, - "limited": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration", - "description": "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`." - }, - "type": { - "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "type" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "exempt": "Exempt", - "limited": "Limited" - } - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/prioritylevelconfigurationspec.json b/master-local/prioritylevelconfigurationspec.json index a9dd65ce1aeadd41ae30f70e4a50a2e76d6373c6..a1fea1fafdeadb2e3024e84391c3178cc877ddb5 100644 --- a/master-local/prioritylevelconfigurationspec.json +++ b/master-local/prioritylevelconfigurationspec.json @@ -2,11 +2,11 @@ "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", "properties": { "exempt": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration", + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.ExemptPriorityLevelConfiguration", "description": "`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply." }, "limited": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration", + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.LimitedPriorityLevelConfiguration", "description": "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`." }, "type": { diff --git a/master-local/prioritylevelconfigurationstatus-flowcontrol-v1beta3.json b/master-local/prioritylevelconfigurationstatus-flowcontrol-v1beta3.json deleted file mode 100644 index b00b75944693a8b46c332030c921303dd61668ff..0000000000000000000000000000000000000000 --- a/master-local/prioritylevelconfigurationstatus-flowcontrol-v1beta3.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", - "properties": { - "conditions": { - "description": "`conditions` is the current state of \"request-priority\".", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/prioritylevelconfigurationstatus.json b/master-local/prioritylevelconfigurationstatus.json index b00b75944693a8b46c332030c921303dd61668ff..ad95842a5c190b31631654ca2cf59fd6aafae5e5 100644 --- a/master-local/prioritylevelconfigurationstatus.json +++ b/master-local/prioritylevelconfigurationstatus.json @@ -4,7 +4,7 @@ "conditions": { "description": "`conditions` is the current state of \"request-priority\".", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition" + "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationCondition" }, "type": [ "array", diff --git a/master-local/queuingconfiguration-flowcontrol-v1beta3.json b/master-local/queuingconfiguration-flowcontrol-v1beta3.json deleted file mode 100644 index a32f9fa0db3560a275f08d45fbe5604ea0ee691c..0000000000000000000000000000000000000000 --- a/master-local/queuingconfiguration-flowcontrol-v1beta3.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/prioritylevelconfiguration-flowcontrol-v1beta3.json b/master-local/resourceclaim-resource-v1beta1.json similarity index 51% rename from master-local/prioritylevelconfiguration-flowcontrol-v1beta3.json rename to master-local/resourceclaim-resource-v1beta1.json index ec1f4c4e7919a36babeb2fa407eccdc71ef54781..d7b1f40ba50f27bbc94d0273930b3fde94c417d7 100644 --- a/master-local/prioritylevelconfiguration-flowcontrol-v1beta3.json +++ b/master-local/resourceclaim-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "PriorityLevelConfiguration represents the configuration of a priority level.", + "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,7 +8,7 @@ "null" ], "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" + "resource.k8s.io/v1beta1" ] }, "kind": { @@ -18,28 +18,31 @@ "null" ], "enum": [ - "PriorityLevelConfiguration" + "ResourceClaim" ] }, "metadata": { "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object metadata" }, "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec", - "description": "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", + "description": "Spec describes what is being requested and how to configure it. The spec is immutable." }, "status": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus", - "description": "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus", + "description": "Status describes whether the claim is ready to use and what has been allocated." } }, + "required": [ + "spec" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfiguration", - "version": "v1beta3" + "group": "resource.k8s.io", + "kind": "ResourceClaim", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/resourceclaim.json b/master-local/resourceclaim.json index a52496e615e2e794f415cb823f8e0261058988d6..3bd4e70028661aa427750a169222c83b69b0373d 100644 --- a/master-local/resourceclaim.json +++ b/master-local/resourceclaim.json @@ -23,11 +23,11 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", "description": "Spec describes what is being requested and how to configure it. The spec is immutable." }, "status": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimStatus", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus", "description": "Status describes whether the claim is ready to use and what has been allocated." } }, @@ -39,7 +39,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaim", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/resourceclaimconsumerreference-resource-v1beta1.json b/master-local/resourceclaimconsumerreference-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..c7b403264ba65696555b8191da3d5be36cdc9f30 --- /dev/null +++ b/master-local/resourceclaimconsumerreference-resource-v1beta1.json @@ -0,0 +1,40 @@ +{ + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", + "properties": { + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name is the name of resource being referenced.", + "type": [ + "string", + "null" + ] + }, + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "resource", + "name", + "uid" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/clustertrustbundlelist-certificates-v1alpha1.json b/master-local/resourceclaimlist-resource-v1beta1.json similarity index 71% rename from master-local/clustertrustbundlelist-certificates-v1alpha1.json rename to master-local/resourceclaimlist-resource-v1beta1.json index e792b4558273e891801d6105ad5b8d7d7d90c4f5..fbf3bfac3c4f984e3a1ddb6cc33ec3d26f7a0699 100644 --- a/master-local/clustertrustbundlelist-certificates-v1alpha1.json +++ b/master-local/resourceclaimlist-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects", + "description": "ResourceClaimList is a collection of claims.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,13 +8,13 @@ "null" ], "enum": [ - "certificates.k8s.io/v1alpha1" + "resource.k8s.io/v1beta1" ] }, "items": { - "description": "items is a collection of ClusterTrustBundle objects", + "description": "Items is the list of resource claims.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim" }, "type": [ "array", @@ -28,12 +28,12 @@ "null" ], "enum": [ - "ClusterTrustBundleList" + "ResourceClaimList" ] }, "metadata": { "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "metadata contains the list metadata." + "description": "Standard list metadata" } }, "required": [ @@ -42,9 +42,9 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundleList", - "version": "v1alpha1" + "group": "resource.k8s.io", + "kind": "ResourceClaimList", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/resourceclaimlist.json b/master-local/resourceclaimlist.json index aca94d779492c97aa8e170df5611db2976dc3fce..949c6c240412a538bd348f4e0821698298caa44b 100644 --- a/master-local/resourceclaimlist.json +++ b/master-local/resourceclaimlist.json @@ -11,7 +11,7 @@ "items": { "description": "Items is the list of resource claims.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaim" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim" }, "type": [ "array", @@ -41,7 +41,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimList", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/resourceclaimspec-resource-v1beta1.json b/master-local/resourceclaimspec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..a70ab22f135b7d187e3da37b0cb858fe101447c7 --- /dev/null +++ b/master-local/resourceclaimspec-resource-v1beta1.json @@ -0,0 +1,11 @@ +{ + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", + "properties": { + "devices": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim", + "description": "Devices defines how to request devices." + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/resourceclaimspec.json b/master-local/resourceclaimspec.json index 62de135fbac861564f3a7e76177d7f9a0596fcf0..a70ab22f135b7d187e3da37b0cb858fe101447c7 100644 --- a/master-local/resourceclaimspec.json +++ b/master-local/resourceclaimspec.json @@ -2,7 +2,7 @@ "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", "properties": { "devices": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaim", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim", "description": "Devices defines how to request devices." } }, diff --git a/master-local/resourceclaimstatus-resource-v1beta1.json b/master-local/resourceclaimstatus-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..32e436a7844215693fd6066c30075065b75a3d7e --- /dev/null +++ b/master-local/resourceclaimstatus-resource-v1beta1.json @@ -0,0 +1,27 @@ +{ + "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", + "properties": { + "allocation": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.AllocationResult", + "description": "Allocation is set once the claim has been allocated successfully." + }, + "reservedFor": { + "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/resourceclaimstatus.json b/master-local/resourceclaimstatus.json index 5fcb80b0b21385eea3f7807f3f19accf6f71bcbf..32e436a7844215693fd6066c30075065b75a3d7e 100644 --- a/master-local/resourceclaimstatus.json +++ b/master-local/resourceclaimstatus.json @@ -2,13 +2,13 @@ "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", "properties": { "allocation": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.AllocationResult", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.AllocationResult", "description": "Allocation is set once the claim has been allocated successfully." }, "reservedFor": { "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference" }, "type": [ "array", diff --git a/master-local/resourceclaimtemplate-resource-v1beta1.json b/master-local/resourceclaimtemplate-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..ad4898bd5b4e65d44f07db90777d7837584ee833 --- /dev/null +++ b/master-local/resourceclaimtemplate-resource-v1beta1.json @@ -0,0 +1,45 @@ +{ + "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaimTemplate" + ] + }, + "metadata": { + "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object metadata" + }, + "spec": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec", + "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore." + } + }, + "required": [ + "spec" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplate", + "version": "v1beta1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/resourceclaimtemplate.json b/master-local/resourceclaimtemplate.json index 59d6a66cf63edfcefca7a1db03c4bb2a5cab0399..2719870b3bd856d1d75dd4b66f97772a637a89d5 100644 --- a/master-local/resourceclaimtemplate.json +++ b/master-local/resourceclaimtemplate.json @@ -23,7 +23,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec", "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore." } }, @@ -35,7 +35,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplate", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/flowschemalist-flowcontrol-v1beta3.json b/master-local/resourceclaimtemplatelist-resource-v1beta1.json similarity index 68% rename from master-local/flowschemalist-flowcontrol-v1beta3.json rename to master-local/resourceclaimtemplatelist-resource-v1beta1.json index 053bf33800402cfa614f099669f7623c004fd4e3..4cdce254bd370869a26d4c23c532fdf5c659b0d7 100644 --- a/master-local/flowschemalist-flowcontrol-v1beta3.json +++ b/master-local/resourceclaimtemplatelist-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "FlowSchemaList is a list of FlowSchema objects.", + "description": "ResourceClaimTemplateList is a collection of claim templates.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,13 +8,13 @@ "null" ], "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" + "resource.k8s.io/v1beta1" ] }, "items": { - "description": "`items` is a list of FlowSchemas.", + "description": "Items is the list of resource claim templates.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate" }, "type": [ "array", @@ -28,12 +28,12 @@ "null" ], "enum": [ - "FlowSchemaList" + "ResourceClaimTemplateList" ] }, "metadata": { "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata" } }, "required": [ @@ -42,9 +42,9 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchemaList", - "version": "v1beta3" + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplateList", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/resourceclaimtemplatelist.json b/master-local/resourceclaimtemplatelist.json index 3b27ec67fd4c719dc9cdab5742cb6f551bbb741e..6a7d1d1fa8724a1fba26adf2def04cf4784a0862 100644 --- a/master-local/resourceclaimtemplatelist.json +++ b/master-local/resourceclaimtemplatelist.json @@ -11,7 +11,7 @@ "items": { "description": "Items is the list of resource claim templates.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplate" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate" }, "type": [ "array", @@ -41,7 +41,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplateList", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/resourceclaimtemplatespec-resource-v1beta1.json b/master-local/resourceclaimtemplatespec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..f20be6fa24dae8241a1df393d6205a22c5b4d300 --- /dev/null +++ b/master-local/resourceclaimtemplatespec-resource-v1beta1.json @@ -0,0 +1,18 @@ +{ + "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", + "properties": { + "metadata": { + "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation." + }, + "spec": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", + "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here." + } + }, + "required": [ + "spec" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/resourceclaimtemplatespec.json b/master-local/resourceclaimtemplatespec.json index cdc35676caef1e90f1be49dc0ce563529d67ddac..f20be6fa24dae8241a1df393d6205a22c5b4d300 100644 --- a/master-local/resourceclaimtemplatespec.json +++ b/master-local/resourceclaimtemplatespec.json @@ -6,7 +6,7 @@ "description": "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation." }, "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here." } }, diff --git a/master-local/resourcepolicyrule-flowcontrol-v1beta3.json b/master-local/resourcepolicyrule-flowcontrol-v1beta3.json deleted file mode 100644 index c50cd302c586dfea83755a3ac4b1f8258666e262..0000000000000000000000000000000000000000 --- a/master-local/resourcepolicyrule-flowcontrol-v1beta3.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", - "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": [ - "boolean", - "null" - ] - }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "apiGroups", - "resources" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/resourcepool-resource-v1beta1.json b/master-local/resourcepool-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..c85bd4c5ed0de40ec3f8ef20bb164fe800fa5b02 --- /dev/null +++ b/master-local/resourcepool-resource-v1beta1.json @@ -0,0 +1,35 @@ +{ + "description": "ResourcePool describes the pool that ResourceSlices belong to.", + "properties": { + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": [ + "integer", + "null" + ] + } + }, + "required": [ + "name", + "generation", + "resourceSliceCount" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/resourceslice-resource-v1beta1.json b/master-local/resourceslice-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..c3729f37a889ef3fab1f798a9262d6684f133b74 --- /dev/null +++ b/master-local/resourceslice-resource-v1beta1.json @@ -0,0 +1,45 @@ +{ + "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceSlice" + ] + }, + "metadata": { + "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object metadata" + }, + "spec": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec", + "description": "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number." + } + }, + "required": [ + "spec" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceSlice", + "version": "v1beta1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/resourceslice.json b/master-local/resourceslice.json index 46160dd6ef59c3227810f45c069346e2c0ea6dbd..7f2c3fe986cc24405398fb65f05c71d3fd78afc6 100644 --- a/master-local/resourceslice.json +++ b/master-local/resourceslice.json @@ -23,7 +23,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec", "description": "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number." } }, @@ -35,7 +35,7 @@ { "group": "resource.k8s.io", "kind": "ResourceSlice", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/resourceslicelist-resource-v1beta1.json b/master-local/resourceslicelist-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..ca0d0b25afa73b5abd558f64d6e96668f226affb --- /dev/null +++ b/master-local/resourceslicelist-resource-v1beta1.json @@ -0,0 +1,51 @@ +{ + "description": "ResourceSliceList is a collection of ResourceSlices.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "items": { + "description": "Items is the list of resource ResourceSlices.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice" + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceSliceList" + ] + }, + "metadata": { + "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard list metadata" + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceSliceList", + "version": "v1beta1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/resourceslicelist.json b/master-local/resourceslicelist.json index 64180849c6e9bf0d7eb700d12b2dd33c1ed3dd92..df04ee96100d2f6729b38b9c32ae25d7afa1e3d9 100644 --- a/master-local/resourceslicelist.json +++ b/master-local/resourceslicelist.json @@ -11,7 +11,7 @@ "items": { "description": "Items is the list of resource ResourceSlices.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceSlice" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice" }, "type": [ "array", @@ -41,7 +41,7 @@ { "group": "resource.k8s.io", "kind": "ResourceSliceList", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-local/resourceslicespec-resource-v1beta1.json b/master-local/resourceslicespec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..c6dc3bdf2c4bd21dd3e6604645074752702cefc4 --- /dev/null +++ b/master-local/resourceslicespec-resource-v1beta1.json @@ -0,0 +1,51 @@ +{ + "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", + "properties": { + "allNodes": { + "description": "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set.", + "type": [ + "boolean", + "null" + ] + }, + "devices": { + "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", + "items": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.Device" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "driver": { + "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "nodeName": { + "description": "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "nodeSelector": { + "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.NodeSelector", + "description": "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set." + }, + "pool": { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourcePool", + "description": "Pool describes the pool that this ResourceSlice belongs to." + } + }, + "required": [ + "driver", + "pool" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-local/resourceslicespec.json b/master-local/resourceslicespec.json index 55bd68f9a3f0d8dad8289ccb095deb3cf8b80366..c6dc3bdf2c4bd21dd3e6604645074752702cefc4 100644 --- a/master-local/resourceslicespec.json +++ b/master-local/resourceslicespec.json @@ -11,7 +11,7 @@ "devices": { "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.Device" + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.Device" }, "type": [ "array", @@ -38,7 +38,7 @@ "description": "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set." }, "pool": { - "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourcePool", + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourcePool", "description": "Pool describes the pool that this ResourceSlice belongs to." } }, diff --git a/master-local/selfsubjectreviewstatus-authentication-v1alpha1.json b/master-local/selfsubjectreviewstatus-authentication-v1alpha1.json deleted file mode 100644 index 387dbcc63b99f4c2cd212c8f3183ce29278d3884..0000000000000000000000000000000000000000 --- a/master-local/selfsubjectreviewstatus-authentication-v1alpha1.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", - "properties": { - "userInfo": { - "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1.UserInfo", - "description": "User attributes of the user making this request." - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/serviceaccountsubject-flowcontrol-v1beta3.json b/master-local/serviceaccountsubject-flowcontrol-v1beta3.json deleted file mode 100644 index 6548d56e8ca2b50536413574d36c0e31ae6b6b20..0000000000000000000000000000000000000000 --- a/master-local/serviceaccountsubject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", - "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", - "type": [ - "string", - "null" - ] - }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "namespace", - "name" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/subject-flowcontrol-v1beta3.json b/master-local/subject-flowcontrol-v1beta3.json deleted file mode 100644 index 7b721ecc0f7d506e51c5968c1a5587c43710b089..0000000000000000000000000000000000000000 --- a/master-local/subject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", - "properties": { - "group": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.GroupSubject", - "description": "`group` matches based on user group name." - }, - "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": [ - "string", - "null" - ] - }, - "serviceAccount": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject", - "description": "`serviceAccount` matches ServiceAccounts." - }, - "user": { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.UserSubject", - "description": "`user` matches based on username." - } - }, - "required": [ - "kind" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/typechecking-admissionregistration-v1alpha1.json b/master-local/typechecking-admissionregistration-v1alpha1.json deleted file mode 100644 index adeb88c5bf554f43954ab092383a8d06e02e1775..0000000000000000000000000000000000000000 --- a/master-local/typechecking-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/usersubject-flowcontrol-v1beta3.json b/master-local/usersubject-flowcontrol-v1beta3.json deleted file mode 100644 index 68c027e1658d13f83854f8584cf6b43fe21f6371..0000000000000000000000000000000000000000 --- a/master-local/usersubject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "UserSubject holds detailed information for user-kind subject.", - "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "name" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/validatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json b/master-local/validatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json deleted file mode 100644 index 6457f461941ba89c2be5c4aff1285d1678f04799..0000000000000000000000000000000000000000 --- a/master-local/validatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", - "properties": { - "matchResources": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", - "description": "MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required." - }, - "paramRef": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef", - "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." - }, - "policyName": { - "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", - "type": [ - "string", - "null" - ] - }, - "validationActions": { - "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/validatingadmissionpolicyspec-admissionregistration-v1alpha1.json b/master-local/validatingadmissionpolicyspec-admissionregistration-v1alpha1.json deleted file mode 100644 index 710c7cc6ba0a8af1f31371f50ea25f13447928df..0000000000000000000000000000000000000000 --- a/master-local/validatingadmissionpolicyspec-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", - "properties": { - "auditAnnotations": { - "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "failurePolicy": { - "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", - "type": [ - "string", - "null" - ] - }, - "matchConditions": { - "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" - }, - "matchConstraints": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", - "description": "MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required." - }, - "paramKind": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", - "description": "ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null." - }, - "validations": { - "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Validation" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/validatingadmissionpolicystatus-admissionregistration-v1alpha1.json b/master-local/validatingadmissionpolicystatus-admissionregistration-v1alpha1.json deleted file mode 100644 index 73b88cdf5b466c19b6d1566b5be7bf00e6ad127e..0000000000000000000000000000000000000000 --- a/master-local/validatingadmissionpolicystatus-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.", - "properties": { - "conditions": { - "description": "The conditions represent the latest available observations of a policy's current state.", - "items": { - "$ref": "_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "The generation observed by the controller.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "typeChecking": { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.TypeChecking", - "description": "The results of type checking for each expression. Presence of this field indicates the completion of the type checking." - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/validation-admissionregistration-v1alpha1.json b/master-local/validation-admissionregistration-v1alpha1.json deleted file mode 100644 index a4effa90f7dda98886dddfdb96cbc642b4f399a6..0000000000000000000000000000000000000000 --- a/master-local/validation-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": [ - "string", - "null" - ] - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "expression" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-local/volume-v1.json b/master-local/volume-v1.json index d575d8a7212e9de6887820b78ea9dd99b20f977b..919bfb57736eee396b474a66178f0f97fc1ff63a 100644 --- a/master-local/volume-v1.json +++ b/master-local/volume-v1.json @@ -3,23 +3,23 @@ "properties": { "awsElasticBlockStore": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "cephfs": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.CephFSVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.CinderVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "configMap": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource", @@ -27,7 +27,7 @@ }, "csi": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.CSIVolumeSource", - "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature)." + "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers." }, "downwardAPI": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource", @@ -47,23 +47,23 @@ }, "flexVolume": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.FlexVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "gitRepo": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource", - "description": "gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." + "description": "gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." }, "glusterfs": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource", - "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -94,11 +94,11 @@ }, "photonPersistentDisk": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "projected": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource", @@ -106,15 +106,15 @@ }, "quobyte": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.RBDVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "secret": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.SecretVolumeSource", @@ -122,11 +122,11 @@ }, "storageos": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource", - "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes." + "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported." }, "vsphereVolume": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "required": [ diff --git a/master-local/volume.json b/master-local/volume.json index d575d8a7212e9de6887820b78ea9dd99b20f977b..919bfb57736eee396b474a66178f0f97fc1ff63a 100644 --- a/master-local/volume.json +++ b/master-local/volume.json @@ -3,23 +3,23 @@ "properties": { "awsElasticBlockStore": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "cephfs": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.CephFSVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.CinderVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "configMap": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource", @@ -27,7 +27,7 @@ }, "csi": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.CSIVolumeSource", - "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature)." + "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers." }, "downwardAPI": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource", @@ -47,23 +47,23 @@ }, "flexVolume": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.FlexVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "gitRepo": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource", - "description": "gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." + "description": "gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." }, "glusterfs": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource", - "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -94,11 +94,11 @@ }, "photonPersistentDisk": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "projected": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource", @@ -106,15 +106,15 @@ }, "quobyte": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.RBDVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "secret": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.SecretVolumeSource", @@ -122,11 +122,11 @@ }, "storageos": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource", - "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes." + "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported." }, "vsphereVolume": { "$ref": "_definitions.json#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "required": [ diff --git a/master-local/watchevent-meta-v1.json b/master-local/watchevent-meta-v1.json index 8b8c669f2f5dbbdcebf1861423f594d6b61907a0..1a29454c889ca0237de9ccde542a2f408679a2cc 100644 --- a/master-local/watchevent-meta-v1.json +++ b/master-local/watchevent-meta-v1.json @@ -283,6 +283,11 @@ "kind": "WatchEvent", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "WatchEvent", diff --git a/master-local/watchevent.json b/master-local/watchevent.json index 8b8c669f2f5dbbdcebf1861423f594d6b61907a0..1a29454c889ca0237de9ccde542a2f408679a2cc 100644 --- a/master-local/watchevent.json +++ b/master-local/watchevent.json @@ -283,6 +283,11 @@ "kind": "WatchEvent", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "WatchEvent", diff --git a/master-standalone-strict/_definitions.json b/master-standalone-strict/_definitions.json index 541c68133f7a2a89934a97b35b2d8d54b154b0ac..c9f8b76d958212110728d2fc58873d60d313af63 100644 --- a/master-standalone-strict/_definitions.json +++ b/master-standalone-strict/_definitions.json @@ -916,41 +916,25 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", + "io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", "type": "string" } }, - "required": [ - "key", - "valueExpression" - ], "type": "object", "additionalProperties": false }, - "io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning": { - "description": "ExpressionWarning is a warning information that targets a specific expression.", + "io.k8s.api.admissionregistration.v1alpha1.JSONPatch": { + "description": "JSONPatch defines a JSON Patch.", "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": "string" - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", "type": "string" } }, - "required": [ - "fieldRef", - "warning" - ], "type": "object", "additionalProperties": false }, @@ -1008,115 +992,8 @@ "x-kubernetes-map-type": "atomic", "additionalProperties": false }, - "io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations": { - "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", - "properties": { - "apiGroups": { - "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "apiVersions": { - "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "operations": { - "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resourceNames": { - "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resources": { - "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "scope": { - "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", - "type": "string" - } - }, - "type": "object", - "x-kubernetes-map-type": "atomic", - "additionalProperties": false - }, - "io.k8s.api.admissionregistration.v1alpha1.ParamKind": { - "description": "ParamKind is a tuple of Group Kind and Version.", - "properties": { - "apiVersion": { - "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", - "type": "string" - }, - "kind": { - "description": "Kind is the API kind the resources belong to. Required.", - "type": "string" - } - }, - "type": "object", - "x-kubernetes-map-type": "atomic", - "additionalProperties": false - }, - "io.k8s.api.admissionregistration.v1alpha1.ParamRef": { - "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", - "properties": { - "name": { - "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", - "type": "string" - }, - "namespace": { - "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", - "type": "string" - }, - "parameterNotFoundAction": { - "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", - "type": "string" - }, - "selector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset." - } - }, - "type": "object", - "x-kubernetes-map-type": "atomic", - "additionalProperties": false - }, - "io.k8s.api.admissionregistration.v1alpha1.TypeChecking": { - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy": { - "description": "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy": { + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1126,7 +1003,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicy" + "MutatingAdmissionPolicy" ] }, "metadata": { @@ -1134,26 +1011,22 @@ "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, "spec": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec", - "description": "Specification of the desired behavior of the ValidatingAdmissionPolicy." - }, - "status": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus", - "description": "The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only." + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicy." } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicy", + "kind": "MutatingAdmissionPolicy", "version": "v1alpha1" } ], "additionalProperties": false }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding": { - "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding": { + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1163,7 +1036,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicyBinding" + "MutatingAdmissionPolicyBinding" ] }, "metadata": { @@ -1171,22 +1044,22 @@ "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, "spec": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec", - "description": "Specification of the desired behavior of the ValidatingAdmissionPolicyBinding." + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicyBinding." } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBinding", + "kind": "MutatingAdmissionPolicyBinding", "version": "v1alpha1" } ], "additionalProperties": false }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingList": { - "description": "ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingList": { + "description": "MutatingAdmissionPolicyBindingList is a list of MutatingAdmissionPolicyBinding.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1195,7 +1068,7 @@ "items": { "description": "List of PolicyBinding.", "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding" + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding" }, "type": "array" }, @@ -1203,7 +1076,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicyBindingList" + "MutatingAdmissionPolicyBindingList" ] }, "metadata": { @@ -1218,41 +1091,33 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBindingList", + "kind": "MutatingAdmissionPolicyBindingList", "version": "v1alpha1" } ], "additionalProperties": false }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec": { - "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec": { + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", "properties": { "matchResources": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", - "description": "MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required." + "description": "matchResources limits what resources match this binding and may be mutated by it. Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and matchConditions before the resource may be mutated. When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints and matchConditions must match for the resource to be mutated. Additionally, matchResources.resourceRules are optional and do not constraint matching when unset. Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT." }, "paramRef": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef", - "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." + "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." }, "policyName": { - "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", "type": "string" - }, - "validationActions": { - "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" } }, "type": "object", "additionalProperties": false }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyList": { - "description": "ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyList": { + "description": "MutatingAdmissionPolicyList is a list of MutatingAdmissionPolicy.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1261,7 +1126,7 @@ "items": { "description": "List of ValidatingAdmissionPolicy.", "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy" + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy" }, "type": "array" }, @@ -1269,7 +1134,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicyList" + "MutatingAdmissionPolicyList" ] }, "metadata": { @@ -1284,29 +1149,21 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyList", + "kind": "MutatingAdmissionPolicyList", "version": "v1alpha1" } ], "additionalProperties": false }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec": { - "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec": { + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", "properties": { - "auditAnnotations": { - "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", - "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, "failurePolicy": { - "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", "type": "string" }, "matchConditions": { - "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", "items": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" }, @@ -1320,112 +1177,172 @@ }, "matchConstraints": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", - "description": "MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required." - }, - "paramKind": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", - "description": "ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null." + "description": "matchConstraints specifies what resources this policy is designed to validate. The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT. Required." }, - "validations": { - "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Validation" + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Mutation" }, "type": "array", "x-kubernetes-list-type": "atomic" }, + "paramKind": { + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", + "description": "paramKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null." + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": "string" + }, "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", "items": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" }, "type": "array", - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus": { - "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.", - "properties": { - "conditions": { - "description": "The conditions represent the latest available observations of a policy's current state.", - "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "The generation observed by the controller.", - "format": "int64", - "type": "integer" - }, - "typeChecking": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.TypeChecking", - "description": "The results of type checking for each expression. Presence of this field indicates the completion of the type checking." + "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, - "io.k8s.api.admissionregistration.v1alpha1.Validation": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", + "io.k8s.api.admissionregistration.v1alpha1.Mutation": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": "string" + "applyConfiguration": { + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration", + "description": "applyConfiguration defines the desired configuration values of an object. The configuration is applied to the admission object using [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff). A CEL expression is used to create apply configuration." }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": "string" + "jsonPatch": { + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.JSONPatch", + "description": "jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object. A CEL expression is used to create the JSON patch." }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", "type": "string" } }, "required": [ - "expression" + "patchType" ], "type": "object", "additionalProperties": false }, - "io.k8s.api.admissionregistration.v1alpha1.Variable": { - "description": "Variable is the definition of a variable that is used for composition.", + "io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", "properties": { - "expression": { - "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", - "type": "string" + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "name": { - "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", - "type": "string" - } - }, - "required": [ - "name", - "expression" - ], - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.admissionregistration.v1beta1.AuditAnnotation": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "properties": { + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": "string" + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "io.k8s.api.admissionregistration.v1alpha1.ParamKind": { + "description": "ParamKind is a tuple of Group Kind and Version.", + "properties": { + "apiVersion": { + "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", + "type": "string" + }, + "kind": { + "description": "Kind is the API kind the resources belong to. Required.", + "type": "string" + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "io.k8s.api.admissionregistration.v1alpha1.ParamRef": { + "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", + "properties": { + "name": { + "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", + "type": "string" + }, + "namespace": { + "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", + "type": "string" + }, + "parameterNotFoundAction": { + "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", + "type": "string" + }, + "selector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset." + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "io.k8s.api.admissionregistration.v1alpha1.Variable": { + "description": "Variable is the definition of a variable that is used for composition.", + "properties": { + "expression": { + "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", + "type": "string" + }, + "name": { + "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.admissionregistration.v1beta1.AuditAnnotation": { + "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", + "properties": { "key": { "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", "type": "string" @@ -3432,50 +3349,6 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.authentication.v1alpha1.SelfSubjectReview": { - "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "SelfSubjectReview" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "status": { - "$ref": "#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus", - "description": "Status is filled in by the server with the user attributes." - } - }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "authentication.k8s.io", - "kind": "SelfSubjectReview", - "version": "v1alpha1" - } - ], - "additionalProperties": false - }, - "io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus": { - "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", - "properties": { - "userInfo": { - "$ref": "#/definitions/io.k8s.api.authentication.v1.UserInfo", - "description": "User attributes of the user making this request." - } - }, - "type": "object", - "additionalProperties": false - }, "io.k8s.api.authentication.v1beta1.SelfSubjectReview": { "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", "properties": { @@ -4597,7 +4470,7 @@ "properties": { "containerResource": { "$ref": "#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricSource", - "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag." + "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "external": { "$ref": "#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricSource", @@ -4616,7 +4489,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, @@ -4650,7 +4523,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, @@ -5589,99 +5462,6 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.certificates.v1alpha1.ClusterTrustBundle": { - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "metadata contains the object metadata." - }, - "spec": { - "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec", - "description": "spec contains the signer (if any) and trust anchors." - } - }, - "required": [ - "spec" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ], - "additionalProperties": false - }, - "io.k8s.api.certificates.v1alpha1.ClusterTrustBundleList": { - "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items is a collection of ClusterTrustBundle objects", - "items": { - "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle" - }, - "type": "array" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterTrustBundleList" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "metadata contains the list metadata." - } - }, - "required": [ - "items" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundleList", - "version": "v1alpha1" - } - ], - "additionalProperties": false - }, - "io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec": { - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": "string" - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": "string" - } - }, - "required": [ - "trustBundle" - ], - "type": "object", - "additionalProperties": false - }, "io.k8s.api.coordination.v1.Lease": { "description": "Lease defines a lease concept.", "properties": { @@ -6115,7 +5895,7 @@ "additionalProperties": false }, "io.k8s.api.core.v1.CSIPersistentVolumeSource": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "$ref": "#/definitions/io.k8s.api.core.v1.SecretReference", @@ -8559,7 +8339,7 @@ "additionalProperties": false }, "io.k8s.api.core.v1.LocalVolumeSource": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", @@ -9665,15 +9445,15 @@ }, "awsElasticBlockStore": { "$ref": "#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureFilePersistentVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "capacity": { "additionalProperties": { @@ -9684,11 +9464,11 @@ }, "cephfs": { "$ref": "#/definitions/io.k8s.api.core.v1.CephFSPersistentVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "#/definitions/io.k8s.api.core.v1.CinderPersistentVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "claimRef": { "$ref": "#/definitions/io.k8s.api.core.v1.ObjectReference", @@ -9697,7 +9477,7 @@ }, "csi": { "$ref": "#/definitions/io.k8s.api.core.v1.CSIPersistentVolumeSource", - "description": "csi represents storage that is handled by an external CSI driver (Beta feature)." + "description": "csi represents storage that is handled by an external CSI driver." }, "fc": { "$ref": "#/definitions/io.k8s.api.core.v1.FCVolumeSource", @@ -9705,19 +9485,19 @@ }, "flexVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.FlexPersistentVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "glusterfs": { "$ref": "#/definitions/io.k8s.api.core.v1.GlusterfsPersistentVolumeSource", - "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -9753,23 +9533,23 @@ }, "photonPersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "quobyte": { "$ref": "#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "#/definitions/io.k8s.api.core.v1.RBDPersistentVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "#/definitions/io.k8s.api.core.v1.ScaleIOPersistentVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "storageClassName": { "description": "storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.", @@ -9777,7 +9557,7 @@ }, "storageos": { "$ref": "#/definitions/io.k8s.api.core.v1.StorageOSPersistentVolumeSource", - "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md" + "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. More info: https://examples.k8s.io/volumes/storageos/README.md" }, "volumeAttributesClassName": { "description": "Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process. This is a beta field and requires enabling VolumeAttributesClass feature (off by default).", @@ -9789,7 +9569,7 @@ }, "vsphereVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "type": "object", @@ -10534,7 +10314,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -10542,7 +10322,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -10564,7 +10344,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "$ref": "#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -12544,23 +12324,23 @@ "properties": { "awsElasticBlockStore": { "$ref": "#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "cephfs": { "$ref": "#/definitions/io.k8s.api.core.v1.CephFSVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "#/definitions/io.k8s.api.core.v1.CinderVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "configMap": { "$ref": "#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource", @@ -12568,7 +12348,7 @@ }, "csi": { "$ref": "#/definitions/io.k8s.api.core.v1.CSIVolumeSource", - "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature)." + "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers." }, "downwardAPI": { "$ref": "#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource", @@ -12588,23 +12368,23 @@ }, "flexVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.FlexVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "gitRepo": { "$ref": "#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource", - "description": "gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." + "description": "gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." }, "glusterfs": { "$ref": "#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource", - "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -12632,11 +12412,11 @@ }, "photonPersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "projected": { "$ref": "#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource", @@ -12644,15 +12424,15 @@ }, "quobyte": { "$ref": "#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "#/definitions/io.k8s.api.core.v1.RBDVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "secret": { "$ref": "#/definitions/io.k8s.api.core.v1.SecretVolumeSource", @@ -12660,11 +12440,11 @@ }, "storageos": { "$ref": "#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource", - "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes." + "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported." }, "vsphereVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "required": [ @@ -13867,112 +13647,165 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration": { - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", + "io.k8s.api.networking.v1.HTTPIngressPath": { + "description": "HTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.", "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": "integer" + "backend": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", + "description": "backend defines the referenced service endpoint to which the traffic will be forwarded to." }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": "integer" - } - }, - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod": { - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", - "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", + "path": { + "description": "path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value \"Exact\" or \"Prefix\".", + "type": "string" + }, + "pathType": { + "description": "pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is\n done on a path element by element basis. A path element refers is the\n list of labels in the path split by the '/' separator. A request is a\n match for path p if every p is an element-wise prefix of p of the\n request path. Note that if the last element of the path is a substring\n of the last element in request path, it is not a match (e.g. /foo/bar\n matches /foo/bar/baz, but does not match /foo/barbaz).\n* ImplementationSpecific: Interpretation of the Path matching is up to\n the IngressClass. Implementations can treat this as a separate PathType\n or treat it identically to Prefix or Exact path types.\nImplementations are required to support all path types.", "type": "string" } }, "required": [ - "type" + "pathType", + "backend" ], "type": "object", "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchema": { - "description": "FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".", + "io.k8s.api.networking.v1.HTTPIngressRuleValue": { + "description": "HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, + "paths": { + "description": "paths is a collection of paths that map requests to backends.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressPath" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "paths" + ], + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.networking.v1.IPBlock": { + "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.", + "properties": { + "cidr": { + "description": "cidr is a string representing the IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"", + "type": "string" + }, + "except": { + "description": "except is a slice of CIDRs that should not be included within an IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the cidr range", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "cidr" + ], + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.networking.v1.Ingress": { + "description": "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "FlowSchema" + "Ingress" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec", - "description": "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressSpec", + "description": "spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" }, "status": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus", - "description": "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressStatus", + "description": "status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchema", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "Ingress", + "version": "v1" } ], "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition": { - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", + "io.k8s.api.networking.v1.IngressBackend": { + "description": "IngressBackend describes all endpoints for a given service and port.", "properties": { - "lastTransitionTime": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", - "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." + "resource": { + "$ref": "#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference", + "description": "resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\"." }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", + "service": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressServiceBackend", + "description": "service references a service as a backend. This is a mutually exclusive setting with \"Resource\"." + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.networking.v1.IngressClass": { + "description": "IngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": "string" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IngressClass" + ] }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": "string" + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": "string" + "spec": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassSpec", + "description": "spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "IngressClass", + "version": "v1" + } + ], "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaList": { - "description": "FlowSchemaList is a list of FlowSchema objects.", + "io.k8s.api.networking.v1.IngressClassList": { + "description": "IngressClassList is a collection of IngressClasses.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "`items` is a list of FlowSchemas.", + "description": "items is the list of IngressClasses.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClass" }, "type": "array" }, @@ -13980,12 +13813,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "FlowSchemaList" + "IngressClassList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata." } }, "required": [ @@ -13994,193 +13827,255 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchemaList", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "IngressClassList", + "version": "v1" } ], "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec": { - "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", + "io.k8s.api.networking.v1.IngressClassParametersReference": { + "description": "IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.", "properties": { - "distinguisherMethod": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod", - "description": "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string." + "apiGroup": { + "description": "apiGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.", + "type": "string" }, - "matchingPrecedence": { - "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", - "format": "int32", - "type": "integer" + "kind": { + "description": "kind is the type of resource being referenced.", + "type": "string" }, - "priorityLevelConfiguration": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference", - "description": "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required." + "name": { + "description": "name is the name of resource being referenced.", + "type": "string" }, - "rules": { - "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", - "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "namespace": { + "description": "namespace is the namespace of the resource being referenced. This field is required when scope is set to \"Namespace\" and must be unset when scope is set to \"Cluster\".", + "type": "string" + }, + "scope": { + "description": "scope represents if this refers to a cluster or namespace scoped resource. This may be set to \"Cluster\" (default) or \"Namespace\".", + "type": "string" } }, "required": [ - "priorityLevelConfiguration" + "kind", + "name" ], "type": "object", "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus": { - "description": "FlowSchemaStatus represents the current state of a FlowSchema.", + "io.k8s.api.networking.v1.IngressClassSpec": { + "description": "IngressClassSpec provides information about the class of an Ingress.", "properties": { - "conditions": { - "description": "`conditions` is a list of the current states of FlowSchema.", - "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" + "controller": { + "description": "controller refers to the name of the controller that should handle this class. This allows for different \"flavors\" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. \"acme.io/ingress-controller\". This field is immutable.", + "type": "string" + }, + "parameters": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference", + "description": "parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters." } }, "type": "object", "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.GroupSubject": { - "description": "GroupSubject holds detailed information for group-kind subject.", + "io.k8s.api.networking.v1.IngressList": { + "description": "IngressList is a collection of Ingress.", "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" + }, + "items": { + "description": "items is the list of Ingress.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.Ingress" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IngressList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ - "name" + "items" ], "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "IngressList", + "version": "v1" + } + ], "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.LimitResponse": { - "description": "LimitResponse defines how to handle requests that can not be executed right now.", + "io.k8s.api.networking.v1.IngressLoadBalancerIngress": { + "description": "IngressLoadBalancerIngress represents the status of a load-balancer ingress point.", "properties": { - "queuing": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration", - "description": "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`." + "hostname": { + "description": "hostname is set for load-balancer ingress points that are DNS based.", + "type": "string" }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", + "ip": { + "description": "ip is set for load-balancer ingress points that are IP based.", "type": "string" + }, + "ports": { + "description": "ports provides information about the ports exposed by this LoadBalancer.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressPortStatus" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, - "required": [ - "type" - ], "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ], "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration": { - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", + "io.k8s.api.networking.v1.IngressLoadBalancerStatus": { + "description": "IngressLoadBalancerStatus represents the status of a load-balancer.", "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": "integer" + "ingress": { + "description": "ingress is a list containing ingress points for the load-balancer.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerIngress" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.networking.v1.IngressPortStatus": { + "description": "IngressPortStatus represents the error condition of a service port", + "properties": { + "error": { + "description": "error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase.", + "type": "string" }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", + "port": { + "description": "port is the port number of the ingress port.", "format": "int32", "type": "integer" }, - "limitResponse": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse", - "description": "`limitResponse` indicates what to do with requests that can not be executed right now" + "protocol": { + "description": "protocol is the protocol of the ingress port. The supported values are: \"TCP\", \"UDP\", \"SCTP\"", + "type": "string" + } + }, + "required": [ + "port", + "protocol" + ], + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.networking.v1.IngressRule": { + "description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.", + "properties": { + "host": { + "description": "host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nhost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.", + "type": "string" }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": "integer" + "http": { + "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressRuleValue" } }, "type": "object", "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule": { - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", + "io.k8s.api.networking.v1.IngressServiceBackend": { + "description": "IngressServiceBackend references a Kubernetes Service as a Backend.", "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" + "name": { + "description": "name is the referenced service. The service must exist in the same namespace as the Ingress object.", + "type": "string" }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" + "port": { + "$ref": "#/definitions/io.k8s.api.networking.v1.ServiceBackendPort", + "description": "port of the referenced service. A port name or port number is required for a IngressServiceBackend." } }, "required": [ - "verbs", - "nonResourceURLs" + "name" ], "type": "object", "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects": { - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", + "io.k8s.api.networking.v1.IngressSpec": { + "description": "IngressSpec describes the Ingress the user wishes to exist.", "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", + "defaultBackend": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", + "description": "defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller." + }, + "ingressClassName": { + "description": "ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.", + "type": "string" + }, + "rules": { + "description": "rules is a list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressRule" }, "type": "array", "x-kubernetes-list-type": "atomic" }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", + "tls": { + "description": "tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressTLS" }, "type": "array", "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.networking.v1.IngressStatus": { + "description": "IngressStatus describe the current state of the Ingress.", + "properties": { + "loadBalancer": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerStatus", + "description": "loadBalancer contains the current status of the load-balancer." + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.networking.v1.IngressTLS": { + "description": "IngressTLS describes the transport layer security associated with an ingress.", + "properties": { + "hosts": { + "description": "hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject" + "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" + }, + "secretName": { + "description": "secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the \"Host\" header is used for routing.", + "type": "string" } }, - "required": [ - "subjects" - ], "type": "object", "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration": { - "description": "PriorityLevelConfiguration represents the configuration of a priority level.", + "io.k8s.api.networking.v1.NetworkPolicy": { + "description": "NetworkPolicy describes what network traffic is allowed for a set of Pods", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14190,70 +14085,85 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PriorityLevelConfiguration" + "NetworkPolicy" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec", - "description": "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - }, - "status": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus", - "description": "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec", + "description": "spec represents the specification of the desired behavior for this NetworkPolicy." } }, "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfiguration", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "NetworkPolicy", + "version": "v1" } ], "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition": { - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", + "io.k8s.api.networking.v1.NetworkPolicyEgressRule": { + "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8", "properties": { - "lastTransitionTime": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", - "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": "string" - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": "string" + "ports": { + "description": "ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": "string" + "to": { + "description": "to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.networking.v1.NetworkPolicyIngressRule": { + "description": "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.", + "properties": { + "from": { + "description": "from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": "string" + "ports": { + "description": "ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationList": { - "description": "PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.", + "io.k8s.api.networking.v1.NetworkPolicyList": { + "description": "NetworkPolicyList is a list of NetworkPolicy objects.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "`items` is a list of request-priorities.", + "description": "items is a list of schema objects.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicy" }, "type": "array" }, @@ -14261,12 +14171,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PriorityLevelConfigurationList" + "NetworkPolicyList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ @@ -14275,282 +14185,222 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfigurationList", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "NetworkPolicyList", + "version": "v1" } ], "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference": { - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", + "io.k8s.api.networking.v1.NetworkPolicyPeer": { + "description": "NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed", "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": "string" + "ipBlock": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IPBlock", + "description": "ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be." + }, + "namespaceSelector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector." + }, + "podSelector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace." } }, - "required": [ - "name" - ], "type": "object", "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec": { - "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", + "io.k8s.api.networking.v1.NetworkPolicyPort": { + "description": "NetworkPolicyPort describes a port to allow traffic on", "properties": { - "exempt": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration", - "description": "`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply." + "endPort": { + "description": "endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.", + "format": "int32", + "type": "integer" }, - "limited": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration", - "description": "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`." + "port": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", + "description": "port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched." }, - "type": { - "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", + "protocol": { + "description": "protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.", "type": "string" } }, - "required": [ - "type" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "exempt": "Exempt", - "limited": "Limited" - } - } - ], - "additionalProperties": false - }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus": { - "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", - "properties": { - "conditions": { - "description": "`conditions` is the current state of \"request-priority\".", - "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": "integer" - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": "integer" - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": "integer" - } - }, "type": "object", "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule": { - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", + "io.k8s.api.networking.v1.NetworkPolicySpec": { + "description": "NetworkPolicySpec provides the specification of a NetworkPolicy", "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", + "egress": { + "description": "egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule" }, "type": "array", - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": "boolean" + "x-kubernetes-list-type": "atomic" }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", + "ingress": { + "description": "ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule" }, "type": "array", - "x-kubernetes-list-type": "set" + "x-kubernetes-list-type": "atomic" }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" + "podSelector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace." }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", + "policyTypes": { + "description": "policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8", "items": { "type": "string" }, "type": "array", - "x-kubernetes-list-type": "set" + "x-kubernetes-list-type": "atomic" } }, "required": [ - "verbs", - "apiGroups", - "resources" + "podSelector" ], "type": "object", "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", + "io.k8s.api.networking.v1.ServiceBackendPort": { + "description": "ServiceBackendPort is the service port being referenced.", "properties": { "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", + "description": "name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".", "type": "string" }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": "string" + "number": { + "description": "number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".", + "format": "int32", + "type": "integer" } }, - "required": [ - "namespace", - "name" - ], "type": "object", + "x-kubernetes-map-type": "atomic", "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.Subject": { - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", + "io.k8s.api.networking.v1beta1.IPAddress": { + "description": "IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of the object is the IP address in canonical format, four decimal digits separated by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1", "properties": { - "group": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.GroupSubject", - "description": "`group` matches based on user group name." + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" }, "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": "string" + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IPAddress" + ] }, - "serviceAccount": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject", - "description": "`serviceAccount` matches ServiceAccounts." + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, - "user": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.UserSubject", - "description": "`user` matches based on username." + "spec": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddressSpec", + "description": "spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, - "required": [ - "kind" - ], "type": "object", - "x-kubernetes-unions": [ + "x-kubernetes-group-version-kind": [ { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } + "group": "networking.k8s.io", + "kind": "IPAddress", + "version": "v1beta1" } ], "additionalProperties": false }, - "io.k8s.api.flowcontrol.v1beta3.UserSubject": { - "description": "UserSubject holds detailed information for user-kind subject.", + "io.k8s.api.networking.v1beta1.IPAddressList": { + "description": "IPAddressList contains a list of IPAddress.", "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" - } - }, - "required": [ - "name" - ], - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.networking.v1.HTTPIngressPath": { - "description": "HTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.", - "properties": { - "backend": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", - "description": "backend defines the referenced service endpoint to which the traffic will be forwarded to." }, - "path": { - "description": "path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value \"Exact\" or \"Prefix\".", - "type": "string" + "items": { + "description": "items is the list of IPAddresses.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddress" + }, + "type": "array" }, - "pathType": { - "description": "pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is\n done on a path element by element basis. A path element refers is the\n list of labels in the path split by the '/' separator. A request is a\n match for path p if every p is an element-wise prefix of p of the\n request path. Note that if the last element of the path is a substring\n of the last element in request path, it is not a match (e.g. /foo/bar\n matches /foo/bar/baz, but does not match /foo/barbaz).\n* ImplementationSpecific: Interpretation of the Path matching is up to\n the IngressClass. Implementations can treat this as a separate PathType\n or treat it identically to Prefix or Exact path types.\nImplementations are required to support all path types.", - "type": "string" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IPAddressList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ - "pathType", - "backend" + "items" ], "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "IPAddressList", + "version": "v1beta1" + } + ], "additionalProperties": false }, - "io.k8s.api.networking.v1.HTTPIngressRuleValue": { - "description": "HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.", + "io.k8s.api.networking.v1beta1.IPAddressSpec": { + "description": "IPAddressSpec describe the attributes in an IP Address.", "properties": { - "paths": { - "description": "paths is a collection of paths that map requests to backends.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressPath" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "parentRef": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ParentReference", + "description": "ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object." } }, "required": [ - "paths" + "parentRef" ], "type": "object", "additionalProperties": false }, - "io.k8s.api.networking.v1.IPBlock": { - "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.", + "io.k8s.api.networking.v1beta1.ParentReference": { + "description": "ParentReference describes a reference to a parent object.", "properties": { - "cidr": { - "description": "cidr is a string representing the IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"", + "group": { + "description": "Group is the group of the object being referenced.", "type": "string" }, - "except": { - "description": "except is a slice of CIDRs that should not be included within an IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the cidr range", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "name": { + "description": "Name is the name of the object being referenced.", + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the object being referenced.", + "type": "string" + }, + "resource": { + "description": "Resource is the resource of the object being referenced.", + "type": "string" } }, "required": [ - "cidr" + "resource", + "name" ], "type": "object", "additionalProperties": false }, - "io.k8s.api.networking.v1.Ingress": { - "description": "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.", + "io.k8s.api.networking.v1beta1.ServiceCIDR": { + "description": "ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to allocate ClusterIPs to Service objects.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14560,7 +14410,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "Ingress" + "ServiceCIDR" ] }, "metadata": { @@ -14568,83 +14418,167 @@ "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressSpec", - "description": "spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRSpec", + "description": "spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" }, "status": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressStatus", - "description": "status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRStatus", + "description": "status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "networking.k8s.io", - "kind": "Ingress", - "version": "v1" + "kind": "ServiceCIDR", + "version": "v1beta1" } ], "additionalProperties": false }, - "io.k8s.api.networking.v1.IngressBackend": { - "description": "IngressBackend describes all endpoints for a given service and port.", + "io.k8s.api.networking.v1beta1.ServiceCIDRList": { + "description": "ServiceCIDRList contains a list of ServiceCIDR objects.", "properties": { - "resource": { - "$ref": "#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference", - "description": "resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\"." + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" }, - "service": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressServiceBackend", - "description": "service references a service as a backend. This is a mutually exclusive setting with \"Resource\"." + "items": { + "description": "items is the list of ServiceCIDRs.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDR" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ServiceCIDRList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, + "required": [ + "items" + ], "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "ServiceCIDRList", + "version": "v1beta1" + } + ], "additionalProperties": false }, - "io.k8s.api.networking.v1.IngressClass": { - "description": "IngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.", + "io.k8s.api.networking.v1beta1.ServiceCIDRSpec": { + "description": "ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services.", + "properties": { + "cidrs": { + "description": "CIDRs defines the IP blocks in CIDR notation (e.g. \"192.168.0.0/24\" or \"2001:db8::/64\") from which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family. This field is immutable.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.networking.v1beta1.ServiceCIDRStatus": { + "description": "ServiceCIDRStatus describes the current state of the ServiceCIDR.", + "properties": { + "conditions": { + "description": "conditions holds an array of metav1.Condition that describe the state of the ServiceCIDR. Current service state", + "items": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge" + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.node.v1.Overhead": { + "description": "Overhead structure represents the resource overhead associated with running a pod.", + "properties": { + "podFixed": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + }, + "description": "podFixed represents the fixed resource overhead associated with running a pod.", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.node.v1.RuntimeClass": { + "description": "RuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod. For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, + "handler": { + "description": "handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration. It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called \"runc\" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.", + "type": "string" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IngressClass" + "RuntimeClass" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassSpec", - "description": "spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "overhead": { + "$ref": "#/definitions/io.k8s.api.node.v1.Overhead", + "description": "overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/" + }, + "scheduling": { + "$ref": "#/definitions/io.k8s.api.node.v1.Scheduling", + "description": "scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes." } }, + "required": [ + "handler" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IngressClass", + "group": "node.k8s.io", + "kind": "RuntimeClass", "version": "v1" } ], "additionalProperties": false }, - "io.k8s.api.networking.v1.IngressClassList": { - "description": "IngressClassList is a collection of IngressClasses.", + "io.k8s.api.node.v1.RuntimeClassList": { + "description": "RuntimeClassList is a list of RuntimeClass objects.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is the list of IngressClasses.", + "description": "items is a list of schema objects.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClass" + "$ref": "#/definitions/io.k8s.api.node.v1.RuntimeClass" }, "type": "array" }, @@ -14652,12 +14586,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IngressClassList" + "RuntimeClassList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard list metadata." + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ @@ -14666,70 +14600,117 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IngressClassList", + "group": "node.k8s.io", + "kind": "RuntimeClassList", "version": "v1" } ], "additionalProperties": false }, - "io.k8s.api.networking.v1.IngressClassParametersReference": { - "description": "IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.", + "io.k8s.api.node.v1.Scheduling": { + "description": "Scheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.", "properties": { - "apiGroup": { - "description": "apiGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.", - "type": "string" + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "description": "nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.", + "type": "object", + "x-kubernetes-map-type": "atomic" }, - "kind": { - "description": "kind is the type of resource being referenced.", + "tolerations": { + "description": "tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.", + "items": { + "$ref": "#/definitions/io.k8s.api.core.v1.Toleration" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.policy.v1.Eviction": { + "description": "Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "name": { - "description": "name is the name of resource being referenced.", - "type": "string" + "deleteOptions": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions", + "description": "DeleteOptions may be provided" }, - "namespace": { - "description": "namespace is the namespace of the resource being referenced. This field is required when scope is set to \"Namespace\" and must be unset when scope is set to \"Cluster\".", - "type": "string" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "Eviction" + ] }, - "scope": { - "description": "scope represents if this refers to a cluster or namespace scoped resource. This may be set to \"Cluster\" (default) or \"Namespace\".", - "type": "string" + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "ObjectMeta describes the pod that is being evicted." } }, - "required": [ - "kind", - "name" - ], "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "policy", + "kind": "Eviction", + "version": "v1" + } + ], "additionalProperties": false }, - "io.k8s.api.networking.v1.IngressClassSpec": { - "description": "IngressClassSpec provides information about the class of an Ingress.", + "io.k8s.api.policy.v1.PodDisruptionBudget": { + "description": "PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods", "properties": { - "controller": { - "description": "controller refers to the name of the controller that should handle this class. This allows for different \"flavors\" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. \"acme.io/ingress-controller\". This field is immutable.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "parameters": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference", - "description": "parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters." + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "PodDisruptionBudget" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec", + "description": "Specification of the desired behavior of the PodDisruptionBudget." + }, + "status": { + "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus", + "description": "Most recently observed status of the PodDisruptionBudget." } }, "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "policy", + "kind": "PodDisruptionBudget", + "version": "v1" + } + ], "additionalProperties": false }, - "io.k8s.api.networking.v1.IngressList": { - "description": "IngressList is a collection of Ingress.", + "io.k8s.api.policy.v1.PodDisruptionBudgetList": { + "description": "PodDisruptionBudgetList is a collection of PodDisruptionBudgets.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is the list of Ingress.", + "description": "Items is a list of PodDisruptionBudgets", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.Ingress" + "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget" }, "type": "array" }, @@ -14737,7 +14718,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IngressList" + "PodDisruptionBudgetList" ] }, "metadata": { @@ -14751,130 +14732,102 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IngressList", + "group": "policy", + "kind": "PodDisruptionBudgetList", "version": "v1" } ], "additionalProperties": false }, - "io.k8s.api.networking.v1.IngressLoadBalancerIngress": { - "description": "IngressLoadBalancerIngress represents the status of a load-balancer ingress point.", + "io.k8s.api.policy.v1.PodDisruptionBudgetSpec": { + "description": "PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.", "properties": { - "hostname": { - "description": "hostname is set for load-balancer ingress points that are DNS based.", - "type": "string" + "maxUnavailable": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", + "description": "An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\"." }, - "ip": { - "description": "ip is set for load-balancer ingress points that are IP based.", - "type": "string" + "minAvailable": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", + "description": "An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying \"100%\"." }, - "ports": { - "description": "ports provides information about the ports exposed by this LoadBalancer.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressPortStatus" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "selector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.", + "x-kubernetes-patch-strategy": "replace" + }, + "unhealthyPodEvictionPolicy": { + "description": "UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=\"Ready\",status=\"True\".\n\nValid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.\n\nIfHealthyBudget policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.\n\nAlwaysAllow policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n\nAdditional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.\n\nThis field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).", + "type": "string" } }, "type": "object", "additionalProperties": false }, - "io.k8s.api.networking.v1.IngressLoadBalancerStatus": { - "description": "IngressLoadBalancerStatus represents the status of a load-balancer.", + "io.k8s.api.policy.v1.PodDisruptionBudgetStatus": { + "description": "PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.", "properties": { - "ingress": { - "description": "ingress is a list containing ingress points for the load-balancer.", + "conditions": { + "description": "Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute\n the number of allowed disruptions. Therefore no disruptions are\n allowed and the status of the condition will be False.\n- InsufficientPods: The number of pods are either at or below the number\n required by the PodDisruptionBudget. No disruptions are\n allowed and the status of the condition will be False.\n- SufficientPods: There are more pods than required by the PodDisruptionBudget.\n The condition will be True, and the number of allowed\n disruptions are provided by the disruptionsAllowed property.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerIngress" + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" }, "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.networking.v1.IngressPortStatus": { - "description": "IngressPortStatus represents the error condition of a service port", - "properties": { - "error": { - "description": "error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase.", - "type": "string" + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge" }, - "port": { - "description": "port is the port number of the ingress port.", + "currentHealthy": { + "description": "current number of healthy pods", "format": "int32", "type": "integer" }, - "protocol": { - "description": "protocol is the protocol of the ingress port. The supported values are: \"TCP\", \"UDP\", \"SCTP\"", - "type": "string" - } - }, - "required": [ - "port", - "protocol" - ], - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.networking.v1.IngressRule": { - "description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.", - "properties": { - "host": { - "description": "host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nhost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.", - "type": "string" + "desiredHealthy": { + "description": "minimum desired number of healthy pods", + "format": "int32", + "type": "integer" }, - "http": { - "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressRuleValue" - } - }, - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.networking.v1.IngressServiceBackend": { - "description": "IngressServiceBackend references a Kubernetes Service as a Backend.", - "properties": { - "name": { - "description": "name is the referenced service. The service must exist in the same namespace as the Ingress object.", - "type": "string" + "disruptedPods": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "description": "DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.", + "type": "object" }, - "port": { - "$ref": "#/definitions/io.k8s.api.networking.v1.ServiceBackendPort", - "description": "port of the referenced service. A port name or port number is required for a IngressServiceBackend." + "disruptionsAllowed": { + "description": "Number of pod disruptions that are currently allowed.", + "format": "int32", + "type": "integer" + }, + "expectedPods": { + "description": "total number of pods counted by this disruption budget", + "format": "int32", + "type": "integer" + }, + "observedGeneration": { + "description": "Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.", + "format": "int64", + "type": "integer" } }, "required": [ - "name" + "disruptionsAllowed", + "currentHealthy", + "desiredHealthy", + "expectedPods" ], "type": "object", "additionalProperties": false }, - "io.k8s.api.networking.v1.IngressSpec": { - "description": "IngressSpec describes the Ingress the user wishes to exist.", + "io.k8s.api.rbac.v1.AggregationRule": { + "description": "AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole", "properties": { - "defaultBackend": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", - "description": "defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller." - }, - "ingressClassName": { - "description": "ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.", - "type": "string" - }, - "rules": { - "description": "rules is a list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressRule" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "tls": { - "description": "tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.", + "clusterRoleSelectors": { + "description": "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressTLS" + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -14883,38 +14836,49 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.networking.v1.IngressStatus": { - "description": "IngressStatus describe the current state of the Ingress.", - "properties": { - "loadBalancer": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerStatus", - "description": "loadBalancer contains the current status of the load-balancer." - } - }, - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.networking.v1.IngressTLS": { - "description": "IngressTLS describes the transport layer security associated with an ingress.", + "io.k8s.api.rbac.v1.ClusterRole": { + "description": "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.", "properties": { - "hosts": { - "description": "hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.", + "aggregationRule": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.AggregationRule", + "description": "AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller." + }, + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ClusterRole" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata." + }, + "rules": { + "description": "Rules holds all the PolicyRules for this ClusterRole", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" }, "type": "array", "x-kubernetes-list-type": "atomic" - }, - "secretName": { - "description": "secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the \"Host\" header is used for routing.", - "type": "string" } }, "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "version": "v1" + } + ], "additionalProperties": false }, - "io.k8s.api.networking.v1.NetworkPolicy": { - "description": "NetworkPolicy describes what network traffic is allowed for a set of Pods", + "io.k8s.api.rbac.v1.ClusterRoleBinding": { + "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14924,85 +14888,89 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "NetworkPolicy" + "ClusterRoleBinding" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec", - "description": "spec represents the specification of the desired behavior for this NetworkPolicy." + "roleRef": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", + "description": "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + }, + "subjects": { + "description": "Subjects holds references to the objects the role applies to.", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, + "required": [ + "roleRef" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "NetworkPolicy", + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRoleBinding", "version": "v1" } ], "additionalProperties": false }, - "io.k8s.api.networking.v1.NetworkPolicyEgressRule": { - "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8", + "io.k8s.api.rbac.v1.ClusterRoleBindingList": { + "description": "ClusterRoleBindingList is a collection of ClusterRoleBindings", "properties": { - "ports": { - "description": "ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" }, - "to": { - "description": "to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.", + "items": { + "description": "Items is a list of ClusterRoleBindings", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" + "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding" }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.networking.v1.NetworkPolicyIngressRule": { - "description": "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.", - "properties": { - "from": { - "description": "from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "type": "array" }, - "ports": { - "description": "ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ClusterRoleBindingList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata." } }, + "required": [ + "items" + ], "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRoleBindingList", + "version": "v1" + } + ], "additionalProperties": false }, - "io.k8s.api.networking.v1.NetworkPolicyList": { - "description": "NetworkPolicyList is a list of NetworkPolicy objects.", + "io.k8s.api.rbac.v1.ClusterRoleList": { + "description": "ClusterRoleList is a collection of ClusterRoles", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is a list of schema objects.", + "description": "Items is a list of ClusterRoles", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicy" + "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRole" }, "type": "array" }, @@ -15010,12 +14978,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "NetworkPolicyList" + "ClusterRoleList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." } }, "required": [ @@ -15024,77 +14992,50 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "NetworkPolicyList", + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRoleList", "version": "v1" } ], "additionalProperties": false }, - "io.k8s.api.networking.v1.NetworkPolicyPeer": { - "description": "NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed", - "properties": { - "ipBlock": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IPBlock", - "description": "ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be." - }, - "namespaceSelector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector." - }, - "podSelector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace." - } - }, - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.networking.v1.NetworkPolicyPort": { - "description": "NetworkPolicyPort describes a port to allow traffic on", + "io.k8s.api.rbac.v1.PolicyRule": { + "description": "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.", "properties": { - "endPort": { - "description": "endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.", - "format": "int32", - "type": "integer" - }, - "port": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", - "description": "port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched." + "apiGroups": { + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "protocol": { - "description": "protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.", - "type": "string" - } - }, - "type": "object", - "additionalProperties": false - }, - "io.k8s.api.networking.v1.NetworkPolicySpec": { - "description": "NetworkPolicySpec provides the specification of a NetworkPolicy", - "properties": { - "egress": { - "description": "egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8", + "nonResourceURLs": { + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule" + "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, - "ingress": { - "description": "ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)", + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule" + "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, - "podSelector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace." + "resources": { + "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "policyTypes": { - "description": "policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8", + "verbs": { + "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", "items": { "type": "string" }, @@ -15103,30 +15044,50 @@ } }, "required": [ - "podSelector" + "verbs" ], "type": "object", "additionalProperties": false }, - "io.k8s.api.networking.v1.ServiceBackendPort": { - "description": "ServiceBackendPort is the service port being referenced.", + "io.k8s.api.rbac.v1.Role": { + "description": "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.", "properties": { - "name": { - "description": "name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "number": { - "description": "number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".", - "format": "int32", - "type": "integer" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "Role" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata." + }, + "rules": { + "description": "Rules holds all the PolicyRules for this Role", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object", - "x-kubernetes-map-type": "atomic", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "Role", + "version": "v1" + } + ], "additionalProperties": false }, - "io.k8s.api.networking.v1beta1.IPAddress": { - "description": "IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of the object is the IP address in canonical format, four decimal digits separated by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1", + "io.k8s.api.rbac.v1.RoleBinding": { + "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15136,39 +15097,50 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IPAddress" + "RoleBinding" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddressSpec", - "description": "spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "roleRef": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", + "description": "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + }, + "subjects": { + "description": "Subjects holds references to the objects the role applies to.", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, + "required": [ + "roleRef" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IPAddress", - "version": "v1beta1" + "group": "rbac.authorization.k8s.io", + "kind": "RoleBinding", + "version": "v1" } ], "additionalProperties": false }, - "io.k8s.api.networking.v1beta1.IPAddressList": { - "description": "IPAddressList contains a list of IPAddress.", + "io.k8s.api.rbac.v1.RoleBindingList": { + "description": "RoleBindingList is a collection of RoleBindings", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is the list of IPAddresses.", + "description": "Items is a list of RoleBindings", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddress" + "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleBinding" }, "type": "array" }, @@ -15176,12 +15148,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IPAddressList" + "RoleBindingList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." } }, "required": [ @@ -15190,277 +15162,269 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IPAddressList", - "version": "v1beta1" + "group": "rbac.authorization.k8s.io", + "kind": "RoleBindingList", + "version": "v1" } ], "additionalProperties": false }, - "io.k8s.api.networking.v1beta1.IPAddressSpec": { - "description": "IPAddressSpec describe the attributes in an IP Address.", + "io.k8s.api.rbac.v1.RoleList": { + "description": "RoleList is a collection of Roles", "properties": { - "parentRef": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ParentReference", - "description": "ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object." + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "Items is a list of Roles", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.Role" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "RoleList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata." } }, "required": [ - "parentRef" + "items" ], "type": "object", - "additionalProperties": false - }, - "io.k8s.api.networking.v1beta1.ParentReference": { - "description": "ParentReference describes a reference to a parent object.", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "RoleList", + "version": "v1" + } + ], + "additionalProperties": false + }, + "io.k8s.api.rbac.v1.RoleRef": { + "description": "RoleRef contains information that points to the role being used", "properties": { - "group": { - "description": "Group is the group of the object being referenced.", - "type": "string" - }, - "name": { - "description": "Name is the name of the object being referenced.", + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced", "type": "string" }, - "namespace": { - "description": "Namespace is the namespace of the object being referenced.", + "kind": { + "description": "Kind is the type of resource being referenced", "type": "string" }, - "resource": { - "description": "Resource is the resource of the object being referenced.", + "name": { + "description": "Name is the name of resource being referenced", "type": "string" } }, "required": [ - "resource", + "apiGroup", + "kind", "name" ], "type": "object", + "x-kubernetes-map-type": "atomic", "additionalProperties": false }, - "io.k8s.api.networking.v1beta1.ServiceCIDR": { - "description": "ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to allocate ClusterIPs to Service objects.", + "io.k8s.api.rbac.v1.Subject": { + "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "apiGroup": { + "description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", "type": "string" }, "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ServiceCIDR" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.", + "type": "string" }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRSpec", - "description": "spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "name": { + "description": "Name of the object being referenced.", + "type": "string" }, - "status": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRStatus", - "description": "status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "namespace": { + "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.", + "type": "string" } }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "networking.k8s.io", - "kind": "ServiceCIDR", - "version": "v1beta1" - } + "required": [ + "kind", + "name" ], + "type": "object", + "x-kubernetes-map-type": "atomic", "additionalProperties": false }, - "io.k8s.api.networking.v1beta1.ServiceCIDRList": { - "description": "ServiceCIDRList contains a list of ServiceCIDR objects.", + "io.k8s.api.resource.v1alpha3.AllocationResult": { + "description": "AllocationResult contains attributes of an allocated resource.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items is the list of ServiceCIDRs.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDR" - }, - "type": "array" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ServiceCIDRList" - ] + "devices": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationResult", + "description": "Devices is the result of allocating devices." }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "nodeSelector": { + "$ref": "#/definitions/io.k8s.api.core.v1.NodeSelector", + "description": "NodeSelector defines where the allocated resources are available. If unset, they are available everywhere." } }, - "required": [ - "items" - ], "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "networking.k8s.io", - "kind": "ServiceCIDRList", - "version": "v1beta1" - } - ], "additionalProperties": false }, - "io.k8s.api.networking.v1beta1.ServiceCIDRSpec": { - "description": "ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services.", + "io.k8s.api.resource.v1alpha3.BasicDevice": { + "description": "BasicDevice defines one device instance.", "properties": { - "cidrs": { - "description": "CIDRs defines the IP blocks in CIDR notation (e.g. \"192.168.0.0/24\" or \"2001:db8::/64\") from which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family. This field is immutable.", - "items": { - "type": "string" + "attributes": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAttribute" }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": "object" + }, + "capacity": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + }, + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": "object" } }, "type": "object", "additionalProperties": false }, - "io.k8s.api.networking.v1beta1.ServiceCIDRStatus": { - "description": "ServiceCIDRStatus describes the current state of the ServiceCIDR.", + "io.k8s.api.resource.v1alpha3.CELDeviceSelector": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", "properties": { - "conditions": { - "description": "conditions holds an array of metav1.Condition that describe the state of the ServiceCIDR. Current service state", - "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" } }, + "required": [ + "expression" + ], "type": "object", "additionalProperties": false }, - "io.k8s.api.node.v1.Overhead": { - "description": "Overhead structure represents the resource overhead associated with running a pod.", + "io.k8s.api.resource.v1alpha3.Device": { + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", "properties": { - "podFixed": { - "additionalProperties": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" - }, - "description": "podFixed represents the fixed resource overhead associated with running a pod.", - "type": "object" + "basic": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.BasicDevice", + "description": "Basic defines one device instance." + }, + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", + "type": "string" } }, + "required": [ + "name" + ], "type": "object", "additionalProperties": false }, - "io.k8s.api.node.v1.RuntimeClass": { - "description": "RuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod. For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/", + "io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "handler": { - "description": "handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration. It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called \"runc\" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "RuntimeClass" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "opaque": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." }, - "overhead": { - "$ref": "#/definitions/io.k8s.api.node.v1.Overhead", - "description": "overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/" + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "scheduling": { - "$ref": "#/definitions/io.k8s.api.node.v1.Scheduling", - "description": "scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes." + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" } }, "required": [ - "handler" + "source" ], "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "node.k8s.io", - "kind": "RuntimeClass", - "version": "v1" - } - ], "additionalProperties": false }, - "io.k8s.api.node.v1.RuntimeClassList": { - "description": "RuntimeClassList is a list of RuntimeClass objects.", + "io.k8s.api.resource.v1alpha3.DeviceAllocationResult": { + "description": "DeviceAllocationResult is the result of allocating devices.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "items": { - "description": "items is a list of schema objects.", + "results": { + "description": "Results lists all allocated devices.", "items": { - "$ref": "#/definitions/io.k8s.api.node.v1.RuntimeClass" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult" }, - "type": "array" + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.resource.v1alpha3.DeviceAttribute": { + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": "boolean" }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "RuntimeClassList" - ] + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": "integer" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": "string" + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": "string" } }, - "required": [ - "items" - ], "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "node.k8s.io", - "kind": "RuntimeClassList", - "version": "v1" - } - ], "additionalProperties": false }, - "io.k8s.api.node.v1.Scheduling": { - "description": "Scheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.", + "io.k8s.api.resource.v1alpha3.DeviceClaim": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", "properties": { - "nodeSelector": { - "additionalProperties": { - "type": "string" + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration" }, - "description": "nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.", - "type": "object", - "x-kubernetes-map-type": "atomic" + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "tolerations": { - "description": "tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.", + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.core.v1.Toleration" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceConstraint" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequest" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15469,41 +15433,27 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.policy.v1.Eviction": { - "description": "Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.", + "io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "deleteOptions": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions", - "description": "DeleteOptions may be provided" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "Eviction" - ] + "opaque": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "ObjectMeta describes the pod that is being evicted." + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "policy", - "kind": "Eviction", - "version": "v1" - } - ], "additionalProperties": false }, - "io.k8s.api.policy.v1.PodDisruptionBudget": { - "description": "PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods", + "io.k8s.api.resource.v1alpha3.DeviceClass": { + "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15513,43 +15463,53 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PodDisruptionBudget" + "DeviceClass" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec", - "description": "Specification of the desired behavior of the PodDisruptionBudget." - }, - "status": { - "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus", - "description": "Most recently observed status of the PodDisruptionBudget." + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassSpec", + "description": "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number." } }, + "required": [ + "spec" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "policy", - "kind": "PodDisruptionBudget", - "version": "v1" + "group": "resource.k8s.io", + "kind": "DeviceClass", + "version": "v1alpha3" } ], "additionalProperties": false }, - "io.k8s.api.policy.v1.PodDisruptionBudgetList": { - "description": "PodDisruptionBudgetList is a collection of PodDisruptionBudgets.", + "io.k8s.api.resource.v1alpha3.DeviceClassConfiguration": { + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.resource.v1alpha3.DeviceClassList": { + "description": "DeviceClassList is a collection of classes.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "Items is a list of PodDisruptionBudgets", + "description": "Items is the list of resource classes.", "items": { - "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClass" }, "type": "array" }, @@ -15557,12 +15517,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PodDisruptionBudgetList" + "DeviceClassList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata" } }, "required": [ @@ -15571,153 +15531,160 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "policy", - "kind": "PodDisruptionBudgetList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "DeviceClassList", + "version": "v1alpha3" } ], "additionalProperties": false }, - "io.k8s.api.policy.v1.PodDisruptionBudgetSpec": { - "description": "PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.", + "io.k8s.api.resource.v1alpha3.DeviceClassSpec": { + "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", "properties": { - "maxUnavailable": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", - "description": "An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\"." - }, - "minAvailable": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", - "description": "An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying \"100%\"." - }, - "selector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.", - "x-kubernetes-patch-strategy": "replace" + "config": { + "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassConfiguration" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "unhealthyPodEvictionPolicy": { - "description": "UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=\"Ready\",status=\"True\".\n\nValid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.\n\nIfHealthyBudget policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.\n\nAlwaysAllow policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n\nAdditional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.\n\nThis field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).", - "type": "string" + "selectors": { + "description": "Each selector must be satisfied by a device which is claimed via this class.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object", "additionalProperties": false }, - "io.k8s.api.policy.v1.PodDisruptionBudgetStatus": { - "description": "PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.", + "io.k8s.api.resource.v1alpha3.DeviceConstraint": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", "properties": { - "conditions": { - "description": "Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute\n the number of allowed disruptions. Therefore no disruptions are\n allowed and the status of the condition will be False.\n- InsufficientPods: The number of pods are either at or below the number\n required by the PodDisruptionBudget. No disruptions are\n allowed and the status of the condition will be False.\n- SufficientPods: There are more pods than required by the PodDisruptionBudget.\n The condition will be True, and the number of allowed\n disruptions are provided by the disruptionsAllowed property.", + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": "string" + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + "type": "string" }, "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.resource.v1alpha3.DeviceRequest": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": "boolean" }, - "currentHealthy": { - "description": "current number of healthy pods", - "format": "int32", - "type": "integer" + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": "string" }, - "desiredHealthy": { - "description": "minimum desired number of healthy pods", - "format": "int32", + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", "type": "integer" }, - "disruptedPods": { - "additionalProperties": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" }, - "description": "DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.", - "type": "object" + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": "boolean" }, - "disruptionsAllowed": { - "description": "Number of pod disruptions that are currently allowed.", - "format": "int32", - "type": "integer" + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" }, - "expectedPods": { - "description": "total number of pods counted by this disruption budget", - "format": "int32", - "type": "integer" + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" }, - "observedGeneration": { - "description": "Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.", - "format": "int64", - "type": "integer" + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" } }, "required": [ - "disruptionsAllowed", - "currentHealthy", - "desiredHealthy", - "expectedPods" + "request", + "driver", + "pool", + "device" ], "type": "object", "additionalProperties": false }, - "io.k8s.api.rbac.v1.AggregationRule": { - "description": "AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole", + "io.k8s.api.resource.v1alpha3.DeviceSelector": { + "description": "DeviceSelector must have exactly one field set.", "properties": { - "clusterRoleSelectors": { - "description": "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added", - "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "cel": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.CELDeviceSelector", + "description": "CEL contains a CEL expression for selecting a device." } }, "type": "object", "additionalProperties": false }, - "io.k8s.api.rbac.v1.ClusterRole": { - "description": "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.", + "io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", "properties": { - "aggregationRule": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.AggregationRule", - "description": "AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller." - }, - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", "type": "string" }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterRole" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." - }, - "rules": { - "description": "Rules holds all the PolicyRules for this ClusterRole", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "parameters": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." } }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRole", - "version": "v1" - } + "required": [ + "driver", + "parameters" ], + "type": "object", "additionalProperties": false }, - "io.k8s.api.rbac.v1.ClusterRoleBinding": { - "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", + "io.k8s.api.resource.v1alpha3.ResourceClaim": { + "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15727,89 +15694,74 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ClusterRoleBinding" + "ResourceClaim" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." + "description": "Standard object metadata" }, - "roleRef": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", - "description": "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "description": "Spec describes what is being requested and how to configure it. The spec is immutable." }, - "subjects": { - "description": "Subjects holds references to the objects the role applies to.", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "status": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimStatus", + "description": "Status describes whether the claim is ready to use and what has been allocated." } }, "required": [ - "roleRef" + "spec" ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRoleBinding", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceClaim", + "version": "v1alpha3" } ], "additionalProperties": false }, - "io.k8s.api.rbac.v1.ClusterRoleBindingList": { - "description": "ClusterRoleBindingList is a collection of ClusterRoleBindings", + "io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference": { + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", "type": "string" }, - "items": { - "description": "Items is a list of ClusterRoleBindings", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding" - }, - "type": "array" + "name": { + "description": "Name is the name of resource being referenced.", + "type": "string" }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterRoleBindingList" - ] + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": "string" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": "string" } }, "required": [ - "items" + "resource", + "name", + "uid" ], "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRoleBindingList", - "version": "v1" - } - ], "additionalProperties": false }, - "io.k8s.api.rbac.v1.ClusterRoleList": { - "description": "ClusterRoleList is a collection of ClusterRoles", + "io.k8s.api.resource.v1alpha3.ResourceClaimList": { + "description": "ResourceClaimList is a collection of claims.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "Items is a list of ClusterRoles", + "description": "Items is the list of resource claims.", "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRole" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaim" }, "type": "array" }, @@ -15817,12 +15769,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ClusterRoleList" + "ResourceClaimList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "description": "Standard list metadata" } }, "required": [ @@ -15831,65 +15783,50 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRoleList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceClaimList", + "version": "v1alpha3" } ], "additionalProperties": false }, - "io.k8s.api.rbac.v1.PolicyRule": { - "description": "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.", + "io.k8s.api.resource.v1alpha3.ResourceClaimSpec": { + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", "properties": { - "apiGroups": { - "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "nonResourceURLs": { - "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resourceNames": { - "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resources": { - "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "devices": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaim", + "description": "Devices defines how to request devices." + } + }, + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.resource.v1alpha3.ResourceClaimStatus": { + "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", + "properties": { + "allocation": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.AllocationResult", + "description": "Allocation is set once the claim has been allocated successfully." }, - "verbs": { - "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", + "reservedFor": { + "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference" }, "type": "array", - "x-kubernetes-list-type": "atomic" + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" } }, - "required": [ - "verbs" - ], "type": "object", "additionalProperties": false }, - "io.k8s.api.rbac.v1.Role": { - "description": "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.", + "io.k8s.api.resource.v1alpha3.ResourceClaimTemplate": { + "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15899,126 +15836,161 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "Role" + "ResourceClaimTemplate" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." + "description": "Standard object metadata" }, - "rules": { - "description": "Rules holds all the PolicyRules for this Role", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec", + "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore." } }, + "required": [ + "spec" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "Role", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplate", + "version": "v1alpha3" } ], "additionalProperties": false }, - "io.k8s.api.rbac.v1.RoleBinding": { - "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", + "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateList": { + "description": "ResourceClaimTemplateList is a collection of claim templates.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, + "items": { + "description": "Items is the list of resource claim templates.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplate" + }, + "type": "array" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "RoleBinding" + "ResourceClaimTemplateList" ] }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard list metadata" + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplateList", + "version": "v1alpha3" + } + ], + "additionalProperties": false + }, + "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec": { + "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", + "properties": { "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." - }, - "roleRef": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", - "description": "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + "description": "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation." }, - "subjects": { - "description": "Subjects holds references to the objects the role applies to.", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here." } }, "required": [ - "roleRef" + "spec" ], "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "rbac.authorization.k8s.io", - "kind": "RoleBinding", - "version": "v1" + "additionalProperties": false + }, + "io.k8s.api.resource.v1alpha3.ResourcePool": { + "description": "ResourcePool describes the pool that ResourceSlices belong to.", + "properties": { + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": "integer" + }, + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": "string" + }, + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": "integer" } + }, + "required": [ + "name", + "generation", + "resourceSliceCount" ], + "type": "object", "additionalProperties": false }, - "io.k8s.api.rbac.v1.RoleBindingList": { - "description": "RoleBindingList is a collection of RoleBindings", + "io.k8s.api.resource.v1alpha3.ResourceSlice": { + "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "items": { - "description": "Items is a list of RoleBindings", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleBinding" - }, - "type": "array" - }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "RoleBindingList" + "ResourceSlice" ] }, "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object metadata" + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec", + "description": "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number." } }, "required": [ - "items" + "spec" ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "RoleBindingList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceSlice", + "version": "v1alpha3" } ], "additionalProperties": false }, - "io.k8s.api.rbac.v1.RoleList": { - "description": "RoleList is a collection of Roles", + "io.k8s.api.resource.v1alpha3.ResourceSliceList": { + "description": "ResourceSliceList is a collection of ResourceSlices.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "Items is a list of Roles", + "description": "Items is the list of resource ResourceSlices.", "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.Role" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSlice" }, "type": "array" }, @@ -16026,12 +15998,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "RoleList" + "ResourceSliceList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "description": "Standard list metadata" } }, "required": [ @@ -16040,71 +16012,57 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "RoleList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceSliceList", + "version": "v1alpha3" } ], "additionalProperties": false }, - "io.k8s.api.rbac.v1.RoleRef": { - "description": "RoleRef contains information that points to the role being used", + "io.k8s.api.resource.v1alpha3.ResourceSliceSpec": { + "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", "properties": { - "apiGroup": { - "description": "APIGroup is the group for the resource being referenced", - "type": "string" + "allNodes": { + "description": "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set.", + "type": "boolean" }, - "kind": { - "description": "Kind is the type of resource being referenced", - "type": "string" + "devices": { + "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.Device" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "name": { - "description": "Name is the name of resource being referenced", - "type": "string" - } - }, - "required": [ - "apiGroup", - "kind", - "name" - ], - "type": "object", - "x-kubernetes-map-type": "atomic", - "additionalProperties": false - }, - "io.k8s.api.rbac.v1.Subject": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.", - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", + "driver": { + "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.", "type": "string" }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.", + "nodeName": { + "description": "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set. This field is immutable.", "type": "string" }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" + "nodeSelector": { + "$ref": "#/definitions/io.k8s.api.core.v1.NodeSelector", + "description": "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set." }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.", - "type": "string" + "pool": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourcePool", + "description": "Pool describes the pool that this ResourceSlice belongs to." } }, "required": [ - "kind", - "name" + "driver", + "pool" ], "type": "object", - "x-kubernetes-map-type": "atomic", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.AllocationResult": { + "io.k8s.api.resource.v1beta1.AllocationResult": { "description": "AllocationResult contains attributes of an allocated resource.", "properties": { "devices": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationResult", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult", "description": "Devices is the result of allocating devices." }, "nodeSelector": { @@ -16115,19 +16073,19 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.BasicDevice": { + "io.k8s.api.resource.v1beta1.BasicDevice": { "description": "BasicDevice defines one device instance.", "properties": { "attributes": { "additionalProperties": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAttribute" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute" }, "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": "object" }, "capacity": { "additionalProperties": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity" }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": "object" @@ -16136,7 +16094,7 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.CELDeviceSelector": { + "io.k8s.api.resource.v1beta1.CELDeviceSelector": { "description": "CELDeviceSelector contains a CEL expression for selecting a device.", "properties": { "expression": { @@ -16150,11 +16108,11 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.Device": { + "io.k8s.api.resource.v1beta1.Device": { "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", "properties": { "basic": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.BasicDevice", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.BasicDevice", "description": "Basic defines one device instance." }, "name": { @@ -16168,11 +16126,11 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration": { + "io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration": { "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", "properties": { "opaque": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." }, "requests": { @@ -16194,13 +16152,13 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceAllocationResult": { + "io.k8s.api.resource.v1beta1.DeviceAllocationResult": { "description": "DeviceAllocationResult is the result of allocating devices.", "properties": { "config": { "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -16208,7 +16166,7 @@ "results": { "description": "Results lists all allocated devices.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -16217,7 +16175,7 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceAttribute": { + "io.k8s.api.resource.v1beta1.DeviceAttribute": { "description": "DeviceAttribute must have exactly one field set.", "properties": { "bool": { @@ -16241,13 +16199,27 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceClaim": { + "io.k8s.api.resource.v1beta1.DeviceCapacity": { + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity", + "description": "Value defines how much of a certain device capacity is available." + } + }, + "required": [ + "value" + ], + "type": "object", + "additionalProperties": false + }, + "io.k8s.api.resource.v1beta1.DeviceClaim": { "description": "DeviceClaim defines how to request devices with a ResourceClaim.", "properties": { "config": { "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -16255,7 +16227,7 @@ "constraints": { "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceConstraint" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -16263,7 +16235,7 @@ "requests": { "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequest" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -16272,11 +16244,11 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration": { + "io.k8s.api.resource.v1beta1.DeviceClaimConfiguration": { "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", "properties": { "opaque": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." }, "requests": { @@ -16291,7 +16263,7 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceClass": { + "io.k8s.api.resource.v1beta1.DeviceClass": { "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16310,7 +16282,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec", "description": "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number." } }, @@ -16322,23 +16294,23 @@ { "group": "resource.k8s.io", "kind": "DeviceClass", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceClassConfiguration": { + "io.k8s.api.resource.v1beta1.DeviceClassConfiguration": { "description": "DeviceClassConfiguration is used in DeviceClass.", "properties": { "opaque": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." } }, "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceClassList": { + "io.k8s.api.resource.v1beta1.DeviceClassList": { "description": "DeviceClassList is a collection of classes.", "properties": { "apiVersion": { @@ -16348,7 +16320,7 @@ "items": { "description": "Items is the list of resource classes.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClass" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClass" }, "type": "array" }, @@ -16372,18 +16344,18 @@ { "group": "resource.k8s.io", "kind": "DeviceClassList", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceClassSpec": { + "io.k8s.api.resource.v1beta1.DeviceClassSpec": { "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", "properties": { "config": { "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassConfiguration" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -16391,7 +16363,7 @@ "selectors": { "description": "Each selector must be satisfied by a device which is claimed via this class.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -16400,7 +16372,7 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceConstraint": { + "io.k8s.api.resource.v1beta1.DeviceConstraint": { "description": "DeviceConstraint must have exactly one field set besides Requests.", "properties": { "matchAttribute": { @@ -16419,7 +16391,7 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceRequest": { + "io.k8s.api.resource.v1beta1.DeviceRequest": { "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", "properties": { "adminAccess": { @@ -16446,7 +16418,7 @@ "selectors": { "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -16459,7 +16431,7 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult": { + "io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult": { "description": "DeviceRequestAllocationResult contains the allocation result for one request.", "properties": { "adminAccess": { @@ -16492,18 +16464,18 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.DeviceSelector": { + "io.k8s.api.resource.v1beta1.DeviceSelector": { "description": "DeviceSelector must have exactly one field set.", "properties": { "cel": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.CELDeviceSelector", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector", "description": "CEL contains a CEL expression for selecting a device." } }, "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration": { + "io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration": { "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", "properties": { "driver": { @@ -16512,7 +16484,7 @@ }, "parameters": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", - "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions." + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." } }, "required": [ @@ -16522,7 +16494,7 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.ResourceClaim": { + "io.k8s.api.resource.v1beta1.ResourceClaim": { "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16541,11 +16513,11 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", "description": "Spec describes what is being requested and how to configure it. The spec is immutable." }, "status": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimStatus", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus", "description": "Status describes whether the claim is ready to use and what has been allocated." } }, @@ -16557,12 +16529,12 @@ { "group": "resource.k8s.io", "kind": "ResourceClaim", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference": { + "io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference": { "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", "properties": { "apiGroup": { @@ -16590,7 +16562,7 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.ResourceClaimList": { + "io.k8s.api.resource.v1beta1.ResourceClaimList": { "description": "ResourceClaimList is a collection of claims.", "properties": { "apiVersion": { @@ -16600,7 +16572,7 @@ "items": { "description": "Items is the list of resource claims.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaim" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim" }, "type": "array" }, @@ -16624,33 +16596,33 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimList", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.ResourceClaimSpec": { + "io.k8s.api.resource.v1beta1.ResourceClaimSpec": { "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", "properties": { "devices": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaim", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim", "description": "Devices defines how to request devices." } }, "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.ResourceClaimStatus": { + "io.k8s.api.resource.v1beta1.ResourceClaimStatus": { "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", "properties": { "allocation": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.AllocationResult", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.AllocationResult", "description": "Allocation is set once the claim has been allocated successfully." }, "reservedFor": { "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference" }, "type": "array", "x-kubernetes-list-map-keys": [ @@ -16664,7 +16636,7 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.ResourceClaimTemplate": { + "io.k8s.api.resource.v1beta1.ResourceClaimTemplate": { "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16683,7 +16655,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec", "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore." } }, @@ -16695,12 +16667,12 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplate", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateList": { + "io.k8s.api.resource.v1beta1.ResourceClaimTemplateList": { "description": "ResourceClaimTemplateList is a collection of claim templates.", "properties": { "apiVersion": { @@ -16710,7 +16682,7 @@ "items": { "description": "Items is the list of resource claim templates.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplate" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate" }, "type": "array" }, @@ -16734,12 +16706,12 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplateList", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec": { + "io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec": { "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", "properties": { "metadata": { @@ -16747,7 +16719,7 @@ "description": "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation." }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here." } }, @@ -16757,7 +16729,7 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.ResourcePool": { + "io.k8s.api.resource.v1beta1.ResourcePool": { "description": "ResourcePool describes the pool that ResourceSlices belong to.", "properties": { "generation": { @@ -16783,7 +16755,7 @@ "type": "object", "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.ResourceSlice": { + "io.k8s.api.resource.v1beta1.ResourceSlice": { "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16802,7 +16774,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec", "description": "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number." } }, @@ -16814,12 +16786,12 @@ { "group": "resource.k8s.io", "kind": "ResourceSlice", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.ResourceSliceList": { + "io.k8s.api.resource.v1beta1.ResourceSliceList": { "description": "ResourceSliceList is a collection of ResourceSlices.", "properties": { "apiVersion": { @@ -16829,7 +16801,7 @@ "items": { "description": "Items is the list of resource ResourceSlices.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSlice" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice" }, "type": "array" }, @@ -16853,12 +16825,12 @@ { "group": "resource.k8s.io", "kind": "ResourceSliceList", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false }, - "io.k8s.api.resource.v1alpha3.ResourceSliceSpec": { + "io.k8s.api.resource.v1beta1.ResourceSliceSpec": { "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", "properties": { "allNodes": { @@ -16868,7 +16840,7 @@ "devices": { "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.Device" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.Device" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -16886,7 +16858,7 @@ "description": "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set." }, "pool": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourcePool", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourcePool", "description": "Pool describes the pool that this ResourceSlice belongs to." } }, @@ -19293,6 +19265,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", @@ -20057,6 +20034,11 @@ "kind": "WatchEvent", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "WatchEvent", diff --git a/master-standalone-strict/all.json b/master-standalone-strict/all.json index 7479d816261e4a8a88236c2a3aa5f261f633173a..cd8edfc51f4517d4bd8d8e6b3ef7ce87ec9ce19d 100644 --- a/master-standalone-strict/all.json +++ b/master-standalone-strict/all.json @@ -79,10 +79,10 @@ "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1.WebhookClientConfig" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.JSONPatch" }, { "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" @@ -91,40 +91,34 @@ "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.TypeChecking" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingList" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingList" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyList" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyList" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Mutation" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Validation" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef" }, { "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" @@ -318,12 +312,6 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1.UserInfo" }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReview" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus" - }, { "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1beta1.SelfSubjectReview" }, @@ -537,15 +525,6 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestStatus" }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleList" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec" - }, { "$ref": "_definitions.json#/definitions/io.k8s.api.coordination.v1.Lease" }, @@ -1296,75 +1275,6 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.UserSubject" }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaList" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.GroupSubject" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationList" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.UserSubject" - }, { "$ref": "_definitions.json#/definitions/io.k8s.api.networking.v1.HTTPIngressPath" }, @@ -1620,6 +1530,99 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec" }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.AllocationResult" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.BasicDevice" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.Device" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClass" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassList" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimList" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateList" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourcePool" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceList" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec" + }, { "$ref": "_definitions.json#/definitions/io.k8s.api.scheduling.v1.PriorityClass" }, diff --git a/master-standalone-strict/allocationresult-resource-v1beta1.json b/master-standalone-strict/allocationresult-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..6efc1b09ec96d3ee108e6528f535907a859c78ae --- /dev/null +++ b/master-standalone-strict/allocationresult-resource-v1beta1.json @@ -0,0 +1,244 @@ +{ + "description": "AllocationResult contains attributes of an allocated resource.", + "properties": { + "devices": { + "description": "DeviceAllocationResult is the result of allocating devices.", + "properties": { + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" + } + }, + "required": [ + "source" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results lists all allocated devices.", + "items": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "nodeSelectorTerms" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/applyconfiguration-admissionregistration-v1alpha1.json b/master-standalone-strict/applyconfiguration-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..978e2a998a712a855d2bae4b43d223cbd177fa5a --- /dev/null +++ b/master-standalone-strict/applyconfiguration-admissionregistration-v1alpha1.json @@ -0,0 +1,15 @@ +{ + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/applyconfiguration.json b/master-standalone-strict/applyconfiguration.json new file mode 100644 index 0000000000000000000000000000000000000000..978e2a998a712a855d2bae4b43d223cbd177fa5a --- /dev/null +++ b/master-standalone-strict/applyconfiguration.json @@ -0,0 +1,15 @@ +{ + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/auditannotation-admissionregistration-v1alpha1.json b/master-standalone-strict/auditannotation-admissionregistration-v1alpha1.json deleted file mode 100644 index 9187a73c1f7f69f964d1a751b2684de79a0a9ca8..0000000000000000000000000000000000000000 --- a/master-standalone-strict/auditannotation-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": [ - "string", - "null" - ] - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "key", - "valueExpression" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/basicdevice-resource-v1beta1.json b/master-standalone-strict/basicdevice-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..590efe668f1aec621197f66ac590aac25048b044 --- /dev/null +++ b/master-standalone-strict/basicdevice-resource-v1beta1.json @@ -0,0 +1,90 @@ +{ + "description": "BasicDevice defines one device instance.", + "properties": { + "attributes": { + "additionalProperties": { + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + }, + "capacity": { + "additionalProperties": { + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] + } + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/basicdevice.json b/master-standalone-strict/basicdevice.json index 82614f08bfb69757508cc6fd25f96d7f4bd8fb27..590efe668f1aec621197f66ac590aac25048b044 100644 --- a/master-standalone-strict/basicdevice.json +++ b/master-standalone-strict/basicdevice.json @@ -49,20 +49,33 @@ }, "capacity": { "additionalProperties": { - "oneOf": [ - { - "type": [ - "string", - "null" - ] - }, - { - "type": [ - "number", - "null" + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } ] } - ] + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": [ diff --git a/master-standalone-strict/celdeviceselector-resource-v1beta1.json b/master-standalone-strict/celdeviceselector-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..eabb5285d80942fb325b2c633d9062fafb83dd0d --- /dev/null +++ b/master-standalone-strict/celdeviceselector-resource-v1beta1.json @@ -0,0 +1,18 @@ +{ + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "expression" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/clustertrustbundle-certificates-v1alpha1.json b/master-standalone-strict/clustertrustbundle-certificates-v1alpha1.json deleted file mode 100644 index 1da09308392a705a369c33aa6e199568cb1b614a..0000000000000000000000000000000000000000 --- a/master-standalone-strict/clustertrustbundle-certificates-v1alpha1.json +++ /dev/null @@ -1,315 +0,0 @@ -{ - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "certificates.k8s.io/v1alpha1" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", - "properties": { - "annotations": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", - "type": [ - "object", - "null" - ] - }, - "creationTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "deletionGracePeriodSeconds": { - "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "deletionTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "finalizers": { - "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set", - "x-kubernetes-patch-strategy": "merge" - }, - "generateName": { - "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", - "type": [ - "string", - "null" - ] - }, - "generation": { - "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "labels": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", - "type": [ - "object", - "null" - ] - }, - "managedFields": { - "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", - "items": { - "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", - "type": [ - "string", - "null" - ] - }, - "fieldsType": { - "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", - "type": [ - "string", - "null" - ] - }, - "fieldsV1": { - "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", - "type": [ - "object", - "null" - ] - }, - "manager": { - "description": "Manager is an identifier of the workflow managing these fields.", - "type": [ - "string", - "null" - ] - }, - "operation": { - "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", - "type": [ - "string", - "null" - ] - }, - "subresource": { - "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", - "type": [ - "string", - "null" - ] - }, - "time": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "name": { - "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": [ - "string", - "null" - ] - }, - "namespace": { - "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", - "type": [ - "string", - "null" - ] - }, - "ownerReferences": { - "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", - "items": { - "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", - "properties": { - "apiVersion": { - "description": "API version of the referent.", - "type": "string" - }, - "blockOwnerDeletion": { - "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", - "type": [ - "boolean", - "null" - ] - }, - "controller": { - "description": "If true, this reference points to the managing controller.", - "type": [ - "boolean", - "null" - ] - }, - "kind": { - "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "name": { - "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": "string" - }, - "uid": { - "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": "string" - } - }, - "required": [ - "apiVersion", - "kind", - "name", - "uid" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-map-type": "atomic", - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "uid" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "uid", - "x-kubernetes-patch-strategy": "merge" - }, - "resourceVersion": { - "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": [ - "string", - "null" - ] - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": [ - "string", - "null" - ] - }, - "uid": { - "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "spec": { - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": "string" - } - }, - "required": [ - "trustBundle" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - } - }, - "required": [ - "spec" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ], - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/clustertrustbundle.json b/master-standalone-strict/clustertrustbundle.json deleted file mode 100644 index 0c39026d44c99cd5b65e996bd63c6ab568eda924..0000000000000000000000000000000000000000 --- a/master-standalone-strict/clustertrustbundle.json +++ /dev/null @@ -1,312 +0,0 @@ -{ - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", - "properties": { - "annotations": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", - "type": [ - "object", - "null" - ] - }, - "creationTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "deletionGracePeriodSeconds": { - "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "deletionTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "finalizers": { - "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set", - "x-kubernetes-patch-strategy": "merge" - }, - "generateName": { - "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", - "type": [ - "string", - "null" - ] - }, - "generation": { - "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "labels": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", - "type": [ - "object", - "null" - ] - }, - "managedFields": { - "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", - "items": { - "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", - "type": [ - "string", - "null" - ] - }, - "fieldsType": { - "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", - "type": [ - "string", - "null" - ] - }, - "fieldsV1": { - "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", - "type": [ - "object", - "null" - ] - }, - "manager": { - "description": "Manager is an identifier of the workflow managing these fields.", - "type": [ - "string", - "null" - ] - }, - "operation": { - "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", - "type": [ - "string", - "null" - ] - }, - "subresource": { - "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", - "type": [ - "string", - "null" - ] - }, - "time": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "name": { - "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": [ - "string", - "null" - ] - }, - "namespace": { - "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", - "type": [ - "string", - "null" - ] - }, - "ownerReferences": { - "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", - "items": { - "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", - "properties": { - "apiVersion": { - "description": "API version of the referent.", - "type": "string" - }, - "blockOwnerDeletion": { - "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", - "type": [ - "boolean", - "null" - ] - }, - "controller": { - "description": "If true, this reference points to the managing controller.", - "type": [ - "boolean", - "null" - ] - }, - "kind": { - "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "name": { - "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": "string" - }, - "uid": { - "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": "string" - } - }, - "required": [ - "apiVersion", - "kind", - "name", - "uid" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-map-type": "atomic", - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "uid" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "uid", - "x-kubernetes-patch-strategy": "merge" - }, - "resourceVersion": { - "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": [ - "string", - "null" - ] - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": [ - "string", - "null" - ] - }, - "uid": { - "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "spec": { - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": "string" - } - }, - "required": [ - "trustBundle" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - } - }, - "required": [ - "spec" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ], - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/clustertrustbundlelist.json b/master-standalone-strict/clustertrustbundlelist.json deleted file mode 100644 index 7a426e230259fd181651f7b4a42f26ca91b1c2d5..0000000000000000000000000000000000000000 --- a/master-standalone-strict/clustertrustbundlelist.json +++ /dev/null @@ -1,392 +0,0 @@ -{ - "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ] - }, - "items": { - "description": "items is a collection of ClusterTrustBundle objects", - "items": { - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", - "properties": { - "annotations": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", - "type": [ - "object", - "null" - ] - }, - "creationTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "deletionGracePeriodSeconds": { - "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "deletionTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "finalizers": { - "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set", - "x-kubernetes-patch-strategy": "merge" - }, - "generateName": { - "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", - "type": [ - "string", - "null" - ] - }, - "generation": { - "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "labels": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", - "type": [ - "object", - "null" - ] - }, - "managedFields": { - "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", - "items": { - "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", - "type": [ - "string", - "null" - ] - }, - "fieldsType": { - "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", - "type": [ - "string", - "null" - ] - }, - "fieldsV1": { - "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", - "type": [ - "object", - "null" - ] - }, - "manager": { - "description": "Manager is an identifier of the workflow managing these fields.", - "type": [ - "string", - "null" - ] - }, - "operation": { - "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", - "type": [ - "string", - "null" - ] - }, - "subresource": { - "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", - "type": [ - "string", - "null" - ] - }, - "time": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "name": { - "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": [ - "string", - "null" - ] - }, - "namespace": { - "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", - "type": [ - "string", - "null" - ] - }, - "ownerReferences": { - "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", - "items": { - "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", - "properties": { - "apiVersion": { - "description": "API version of the referent.", - "type": "string" - }, - "blockOwnerDeletion": { - "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", - "type": [ - "boolean", - "null" - ] - }, - "controller": { - "description": "If true, this reference points to the managing controller.", - "type": [ - "boolean", - "null" - ] - }, - "kind": { - "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "name": { - "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": "string" - }, - "uid": { - "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": "string" - } - }, - "required": [ - "apiVersion", - "kind", - "name", - "uid" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-map-type": "atomic", - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "uid" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "uid", - "x-kubernetes-patch-strategy": "merge" - }, - "resourceVersion": { - "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": [ - "string", - "null" - ] - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": [ - "string", - "null" - ] - }, - "uid": { - "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "spec": { - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": "string" - } - }, - "required": [ - "trustBundle" - ], - "type": "object", - "additionalProperties": false - } - }, - "required": [ - "spec" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "ClusterTrustBundleList" - ] - }, - "metadata": { - "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", - "properties": { - "continue": { - "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", - "type": [ - "string", - "null" - ] - }, - "remainingItemCount": { - "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "resourceVersion": { - "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": [ - "string", - "null" - ] - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - } - }, - "required": [ - "items" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundleList", - "version": "v1alpha1" - } - ], - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/clustertrustbundlespec-certificates-v1alpha1.json b/master-standalone-strict/clustertrustbundlespec-certificates-v1alpha1.json deleted file mode 100644 index 50a7a02e406b2bfe8331ec7274a77c98a87a5ed7..0000000000000000000000000000000000000000 --- a/master-standalone-strict/clustertrustbundlespec-certificates-v1alpha1.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "trustBundle" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/clustertrustbundlespec.json b/master-standalone-strict/clustertrustbundlespec.json deleted file mode 100644 index 50a7a02e406b2bfe8331ec7274a77c98a87a5ed7..0000000000000000000000000000000000000000 --- a/master-standalone-strict/clustertrustbundlespec.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "trustBundle" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/csipersistentvolumesource-v1.json b/master-standalone-strict/csipersistentvolumesource-v1.json index 4e879de9e1155ea13101c95005d7e151efba1e0c..088f26b43aeae99970609307b06e9e7dd3c1dcd2 100644 --- a/master-standalone-strict/csipersistentvolumesource-v1.json +++ b/master-standalone-strict/csipersistentvolumesource-v1.json @@ -1,5 +1,5 @@ { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", diff --git a/master-standalone-strict/csipersistentvolumesource.json b/master-standalone-strict/csipersistentvolumesource.json index 4e879de9e1155ea13101c95005d7e151efba1e0c..088f26b43aeae99970609307b06e9e7dd3c1dcd2 100644 --- a/master-standalone-strict/csipersistentvolumesource.json +++ b/master-standalone-strict/csipersistentvolumesource.json @@ -1,5 +1,5 @@ { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", diff --git a/master-standalone-strict/deleteoptions-meta-v1.json b/master-standalone-strict/deleteoptions-meta-v1.json index e64d1895c16f524dc1e43c669e999a2cefe0e673..62b0d1279ee468730353eadb90c0db3cedd7d9b7 100644 --- a/master-standalone-strict/deleteoptions-meta-v1.json +++ b/master-standalone-strict/deleteoptions-meta-v1.json @@ -61,6 +61,7 @@ "rbac.authorization.k8s.io/v1alpha1", "rbac.authorization.k8s.io/v1beta1", "resource.k8s.io/v1alpha3", + "resource.k8s.io/v1beta1", "scheduling.k8s.io/v1", "scheduling.k8s.io/v1alpha1", "scheduling.k8s.io/v1beta1", @@ -408,6 +409,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", diff --git a/master-standalone-strict/deleteoptions.json b/master-standalone-strict/deleteoptions.json index c0171233c2638668d6b6da5bd150e253559c16c4..7e2677340f9e4462d2b3a4a0ac2d3176acde2727 100644 --- a/master-standalone-strict/deleteoptions.json +++ b/master-standalone-strict/deleteoptions.json @@ -346,6 +346,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", diff --git a/master-standalone-strict/device-resource-v1beta1.json b/master-standalone-strict/device-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..650f938a101549cd7fbdfe89a6175c30b3af9afb --- /dev/null +++ b/master-standalone-strict/device-resource-v1beta1.json @@ -0,0 +1,110 @@ +{ + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", + "properties": { + "basic": { + "description": "BasicDevice defines one device instance.", + "properties": { + "attributes": { + "additionalProperties": { + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + }, + "capacity": { + "additionalProperties": { + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] + } + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/device.json b/master-standalone-strict/device.json index 015194c6e7cb4a66aba7583b2e3ed62cb54bedea..650f938a101549cd7fbdfe89a6175c30b3af9afb 100644 --- a/master-standalone-strict/device.json +++ b/master-standalone-strict/device.json @@ -52,20 +52,33 @@ }, "capacity": { "additionalProperties": { - "oneOf": [ - { - "type": [ - "string", - "null" - ] - }, - { - "type": [ - "number", - "null" + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } ] } - ] + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": [ diff --git a/master-standalone-strict/deviceallocationconfiguration-resource-v1beta1.json b/master-standalone-strict/deviceallocationconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..d3c8b9b58f6fe24c16da44527902d44550360083 --- /dev/null +++ b/master-standalone-strict/deviceallocationconfiguration-resource-v1beta1.json @@ -0,0 +1,54 @@ +{ + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "source" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/deviceallocationresult-resource-v1beta1.json b/master-standalone-strict/deviceallocationresult-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..423dc0f83c3d12060507a7e49f3f8f11557e0dfb --- /dev/null +++ b/master-standalone-strict/deviceallocationresult-resource-v1beta1.json @@ -0,0 +1,116 @@ +{ + "description": "DeviceAllocationResult is the result of allocating devices.", + "properties": { + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" + } + }, + "required": [ + "source" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results lists all allocated devices.", + "items": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/deviceattribute-resource-v1beta1.json b/master-standalone-strict/deviceattribute-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..70675af56b15449d80b57af5eacf90cf5468a0c6 --- /dev/null +++ b/master-standalone-strict/deviceattribute-resource-v1beta1.json @@ -0,0 +1,37 @@ +{ + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/devicecapacity-resource-v1beta1.json b/master-standalone-strict/devicecapacity-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..c2c3c926f61f2a389ec4a4729cc8f7fb36eaa325 --- /dev/null +++ b/master-standalone-strict/devicecapacity-resource-v1beta1.json @@ -0,0 +1,27 @@ +{ + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] + } + }, + "required": [ + "value" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/devicecapacity.json b/master-standalone-strict/devicecapacity.json new file mode 100644 index 0000000000000000000000000000000000000000..c2c3c926f61f2a389ec4a4729cc8f7fb36eaa325 --- /dev/null +++ b/master-standalone-strict/devicecapacity.json @@ -0,0 +1,27 @@ +{ + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] + } + }, + "required": [ + "value" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/deviceclaim-resource-v1beta1.json b/master-standalone-strict/deviceclaim-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..db1c4db1b7384231ca22f4b478494eeb22e9f887 --- /dev/null +++ b/master-standalone-strict/deviceclaim-resource-v1beta1.json @@ -0,0 +1,188 @@ +{ + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/deviceclaimconfiguration-resource-v1beta1.json b/master-standalone-strict/deviceclaimconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..a8b93f2a0d870436d15f9e3b062ab6fef83be80e --- /dev/null +++ b/master-standalone-strict/deviceclaimconfiguration-resource-v1beta1.json @@ -0,0 +1,44 @@ +{ + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/selfsubjectreview-authentication-v1alpha1.json b/master-standalone-strict/deviceclass-resource-v1beta1.json similarity index 68% rename from master-standalone-strict/selfsubjectreview-authentication-v1alpha1.json rename to master-standalone-strict/deviceclass-resource-v1beta1.json index 49eac5c7e33e789835757425f7d9faf12b140d35..ca2470457a907e3d6265c7e50313248244f3a76a 100644 --- a/master-standalone-strict/selfsubjectreview-authentication-v1alpha1.json +++ b/master-standalone-strict/deviceclass-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", + "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,7 +8,7 @@ "null" ], "enum": [ - "authentication.k8s.io/v1alpha1" + "resource.k8s.io/v1beta1" ] }, "kind": { @@ -18,7 +18,7 @@ "null" ], "enum": [ - "SelfSubjectReview" + "DeviceClass" ] }, "metadata": { @@ -274,65 +274,83 @@ ], "additionalProperties": false }, - "status": { - "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", + "spec": { + "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", "properties": { - "userInfo": { - "description": "UserInfo holds the information about the user needed to implement the user.Info interface.", - "properties": { - "extra": { - "additionalProperties": { - "items": { - "type": [ - "string", - "null" - ] + "config": { + "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", + "items": { + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } }, + "required": [ + "driver", + "parameters" + ], "type": [ - "array", + "object", "null" - ] - }, - "description": "Any additional information provided by the authenticator.", - "type": [ - "object", - "null" - ] + ], + "additionalProperties": false + } }, - "groups": { - "description": "The names of groups this user is a part of.", - "items": { + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "selectors": { + "description": "Each selector must be satisfied by a device which is claimed via this class.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], "type": [ - "string", + "object", "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "uid": { - "description": "A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.", - "type": [ - "string", - "null" - ] + ], + "additionalProperties": false + } }, - "username": { - "description": "The name that uniquely identifies this user among all active users.", - "type": [ - "string", - "null" - ] - } + "type": [ + "object", + "null" + ], + "additionalProperties": false }, "type": [ - "object", + "array", "null" ], - "additionalProperties": false + "x-kubernetes-list-type": "atomic" } }, "type": [ @@ -342,12 +360,15 @@ "additionalProperties": false } }, + "required": [ + "spec" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "authentication.k8s.io", - "kind": "SelfSubjectReview", - "version": "v1alpha1" + "group": "resource.k8s.io", + "kind": "DeviceClass", + "version": "v1beta1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/deviceclass.json b/master-standalone-strict/deviceclass.json index 63e4ffd02d4a7a1f4bf84efa86e10c6bddae9176..143cca5197acfdcdfc6288f1c271eba5a3f086eb 100644 --- a/master-standalone-strict/deviceclass.json +++ b/master-standalone-strict/deviceclass.json @@ -365,7 +365,7 @@ { "group": "resource.k8s.io", "kind": "DeviceClass", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/deviceclassconfiguration-resource-v1beta1.json b/master-standalone-strict/deviceclassconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..8c694881df617893f9f8de2301b4ec6939eaf1cd --- /dev/null +++ b/master-standalone-strict/deviceclassconfiguration-resource-v1beta1.json @@ -0,0 +1,30 @@ +{ + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/clustertrustbundlelist-certificates-v1alpha1.json b/master-standalone-strict/deviceclasslist-resource-v1beta1.json similarity index 72% rename from master-standalone-strict/clustertrustbundlelist-certificates-v1alpha1.json rename to master-standalone-strict/deviceclasslist-resource-v1beta1.json index f1f077c6704b49231f5c4f37962766e02d06b55c..57ec00e74b38dd5ac6f8be086445343e78d54f6e 100644 --- a/master-standalone-strict/clustertrustbundlelist-certificates-v1alpha1.json +++ b/master-standalone-strict/deviceclasslist-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects", + "description": "DeviceClassList is a collection of classes.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,13 +8,13 @@ "null" ], "enum": [ - "certificates.k8s.io/v1alpha1" + "resource.k8s.io/v1beta1" ] }, "items": { - "description": "items is a collection of ClusterTrustBundle objects", + "description": "Items is the list of resource classes.", "items": { - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", + "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -23,7 +23,7 @@ "null" ], "enum": [ - "certificates.k8s.io/v1alpha1" + "resource.k8s.io/v1beta1" ] }, "kind": { @@ -33,7 +33,7 @@ "null" ], "enum": [ - "ClusterTrustBundle" + "DeviceClass" ] }, "metadata": { @@ -290,23 +290,84 @@ "additionalProperties": false }, "spec": { - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", + "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", + "config": { + "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", + "items": { + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "type": [ - "string", + "array", "null" - ] + ], + "x-kubernetes-list-type": "atomic" }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": "string" + "selectors": { + "description": "Each selector must be satisfied by a device which is claimed via this class.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" } }, - "required": [ - "trustBundle" - ], "type": "object", "additionalProperties": false } @@ -320,9 +381,9 @@ ], "x-kubernetes-group-version-kind": [ { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" + "group": "resource.k8s.io", + "kind": "DeviceClass", + "version": "v1beta1" } ], "additionalProperties": false @@ -339,7 +400,7 @@ "null" ], "enum": [ - "ClusterTrustBundleList" + "DeviceClassList" ] }, "metadata": { @@ -388,9 +449,9 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundleList", - "version": "v1alpha1" + "group": "resource.k8s.io", + "kind": "DeviceClassList", + "version": "v1beta1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/deviceclasslist.json b/master-standalone-strict/deviceclasslist.json index 9bdeb263fce1bc57d2d169584a9c5819c6ec436a..b99b3edf6df077ce984e9436a6682b4562063bb3 100644 --- a/master-standalone-strict/deviceclasslist.json +++ b/master-standalone-strict/deviceclasslist.json @@ -377,7 +377,7 @@ { "group": "resource.k8s.io", "kind": "DeviceClass", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false @@ -445,7 +445,7 @@ { "group": "resource.k8s.io", "kind": "DeviceClassList", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/deviceclassspec-resource-v1beta1.json b/master-standalone-strict/deviceclassspec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..b1cf732779936e3db9c0225a62dcada64eab70f6 --- /dev/null +++ b/master-standalone-strict/deviceclassspec-resource-v1beta1.json @@ -0,0 +1,83 @@ +{ + "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", + "properties": { + "config": { + "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", + "items": { + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "selectors": { + "description": "Each selector must be satisfied by a device which is claimed via this class.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/deviceconstraint-resource-v1beta1.json b/master-standalone-strict/deviceconstraint-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..e0186e4892ed1e8e4e7b689df616b52d115ce554 --- /dev/null +++ b/master-standalone-strict/deviceconstraint-resource-v1beta1.json @@ -0,0 +1,29 @@ +{ + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/devicerequest-resource-v1beta1.json b/master-standalone-strict/devicerequest-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..06477bbe47fbeaab16ea72e478ee55e80b33bf86 --- /dev/null +++ b/master-standalone-strict/devicerequest-resource-v1beta1.json @@ -0,0 +1,83 @@ +{ + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": [ + "string", + "null" + ] + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/devicerequestallocationresult-resource-v1beta1.json b/master-standalone-strict/devicerequestallocationresult-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..736243d4d417266fedfc73d2e1d73d7f7b3fdfb7 --- /dev/null +++ b/master-standalone-strict/devicerequestallocationresult-resource-v1beta1.json @@ -0,0 +1,49 @@ +{ + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": [ + "string", + "null" + ] + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": [ + "string", + "null" + ] + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": [ + "string", + "null" + ] + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/deviceselector-resource-v1beta1.json b/master-standalone-strict/deviceselector-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..b18fa092d677969dd724524d502b7c964b92988c --- /dev/null +++ b/master-standalone-strict/deviceselector-resource-v1beta1.json @@ -0,0 +1,25 @@ +{ + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/eviction-policy-v1.json b/master-standalone-strict/eviction-policy-v1.json index 9cdd41430a10302b92c459fc9227041d28c696be..f5caa73e355e66238cbd1767f1cc53345883f506 100644 --- a/master-standalone-strict/eviction-policy-v1.json +++ b/master-standalone-strict/eviction-policy-v1.json @@ -74,6 +74,7 @@ "rbac.authorization.k8s.io/v1alpha1", "rbac.authorization.k8s.io/v1beta1", "resource.k8s.io/v1alpha3", + "resource.k8s.io/v1beta1", "scheduling.k8s.io/v1", "scheduling.k8s.io/v1alpha1", "scheduling.k8s.io/v1beta1", @@ -424,6 +425,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", diff --git a/master-standalone-strict/eviction.json b/master-standalone-strict/eviction.json index c84cdd5d49289fe6434ddaf20a58ac4dfb6a7fba..9d2e289e25695c0e32d7abc0c6f87fea4d45aa7e 100644 --- a/master-standalone-strict/eviction.json +++ b/master-standalone-strict/eviction.json @@ -359,6 +359,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", diff --git a/master-standalone-strict/exemptprioritylevelconfiguration-flowcontrol-v1beta3.json b/master-standalone-strict/exemptprioritylevelconfiguration-flowcontrol-v1beta3.json deleted file mode 100644 index 941dd796db8879617ac0740a631e8c40323a1215..0000000000000000000000000000000000000000 --- a/master-standalone-strict/exemptprioritylevelconfiguration-flowcontrol-v1beta3.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", - "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/expressionwarning-admissionregistration-v1alpha1.json b/master-standalone-strict/expressionwarning-admissionregistration-v1alpha1.json deleted file mode 100644 index df9985b4068ed0fd603b71a08ade28085228b6bd..0000000000000000000000000000000000000000 --- a/master-standalone-strict/expressionwarning-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "description": "ExpressionWarning is a warning information that targets a specific expression.", - "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": [ - "string", - "null" - ] - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "fieldRef", - "warning" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/flowdistinguishermethod-flowcontrol-v1beta3.json b/master-standalone-strict/flowdistinguishermethod-flowcontrol-v1beta3.json deleted file mode 100644 index 4888a9a47e4301195b19c96f71201a51ccbd1af8..0000000000000000000000000000000000000000 --- a/master-standalone-strict/flowdistinguishermethod-flowcontrol-v1beta3.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", - "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "type" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/flowschema.json b/master-standalone-strict/flowschema.json index 47a41c8118e008d049b4b2b941d943b40f7865f9..c218fc39b6c5b43980b1d353bfd7988b4302154e 100644 --- a/master-standalone-strict/flowschema.json +++ b/master-standalone-strict/flowschema.json @@ -628,7 +628,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "FlowSchema", - "version": "v1beta3" + "version": "v1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/flowschemacondition-flowcontrol-v1beta3.json b/master-standalone-strict/flowschemacondition-flowcontrol-v1beta3.json deleted file mode 100644 index 1ad1d1351e84424646a734f4426942e06e5f11f1..0000000000000000000000000000000000000000 --- a/master-standalone-strict/flowschemacondition-flowcontrol-v1beta3.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/flowschemalist.json b/master-standalone-strict/flowschemalist.json index e08a394dfa7e8e54f97de2e4fd5db022159fe58b..38603b81f5d17b4bccfe4a57c52c2daa095aec3e 100644 --- a/master-standalone-strict/flowschemalist.json +++ b/master-standalone-strict/flowschemalist.json @@ -643,7 +643,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "FlowSchema", - "version": "v1beta3" + "version": "v1" } ], "additionalProperties": false @@ -711,7 +711,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "FlowSchemaList", - "version": "v1beta3" + "version": "v1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/flowschemaspec-flowcontrol-v1beta3.json b/master-standalone-strict/flowschemaspec-flowcontrol-v1beta3.json deleted file mode 100644 index f689ad9355468e9c3e754838d3a7a9826ab09b4c..0000000000000000000000000000000000000000 --- a/master-standalone-strict/flowschemaspec-flowcontrol-v1beta3.json +++ /dev/null @@ -1,283 +0,0 @@ -{ - "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", - "properties": { - "distinguisherMethod": { - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", - "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "matchingPrecedence": { - "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "priorityLevelConfiguration": { - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", - "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "rules": { - "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", - "items": { - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", - "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", - "items": { - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", - "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "nonResourceURLs" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", - "items": { - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", - "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": [ - "boolean", - "null" - ] - }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "apiGroups", - "resources" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", - "items": { - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", - "properties": { - "group": { - "description": "GroupSubject holds detailed information for group-kind subject.", - "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": "string" - }, - "serviceAccount": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", - "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", - "type": "string" - }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": "string" - } - }, - "required": [ - "namespace", - "name" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "user": { - "description": "UserSubject holds detailed information for user-kind subject.", - "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - } - }, - "required": [ - "kind" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } - } - ], - "additionalProperties": false - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "subjects" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "priorityLevelConfiguration" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/flowschemastatus-flowcontrol-v1beta3.json b/master-standalone-strict/flowschemastatus-flowcontrol-v1beta3.json deleted file mode 100644 index 3d299a2ae90d6b4d1b1819f649026e78979044f9..0000000000000000000000000000000000000000 --- a/master-standalone-strict/flowschemastatus-flowcontrol-v1beta3.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "description": "FlowSchemaStatus represents the current state of a FlowSchema.", - "properties": { - "conditions": { - "description": "`conditions` is a list of the current states of FlowSchema.", - "items": { - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/groupsubject-flowcontrol-v1beta3.json b/master-standalone-strict/groupsubject-flowcontrol-v1beta3.json deleted file mode 100644 index 179ebef464e69c9df15de0e4f2359b906130eb5f..0000000000000000000000000000000000000000 --- a/master-standalone-strict/groupsubject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "description": "GroupSubject holds detailed information for group-kind subject.", - "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "name" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/horizontalpodautoscaler-autoscaling-v2.json b/master-standalone-strict/horizontalpodautoscaler-autoscaling-v2.json index d939e817b45411f1982b473f898ee0aa865240c9..fa7156febdcc4412b344b256c90ea6bfd1a64bf8 100644 --- a/master-standalone-strict/horizontalpodautoscaler-autoscaling-v2.json +++ b/master-standalone-strict/horizontalpodautoscaler-autoscaling-v2.json @@ -1048,7 +1048,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, @@ -1769,7 +1769,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone-strict/horizontalpodautoscaler.json b/master-standalone-strict/horizontalpodautoscaler.json index 202cf876eaabac4229a3071685047b2e7b310f57..d20c895435efdfaf470b9996b3ed57cb386fe37e 100644 --- a/master-standalone-strict/horizontalpodautoscaler.json +++ b/master-standalone-strict/horizontalpodautoscaler.json @@ -1045,7 +1045,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, @@ -1766,7 +1766,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone-strict/horizontalpodautoscalerlist-autoscaling-v2.json b/master-standalone-strict/horizontalpodautoscalerlist-autoscaling-v2.json index 7b84913084201a04df708f99bcc8af1f8d00fc5c..79b3d8bd86f855bcef10bdf2336a7d188046d20c 100644 --- a/master-standalone-strict/horizontalpodautoscalerlist-autoscaling-v2.json +++ b/master-standalone-strict/horizontalpodautoscalerlist-autoscaling-v2.json @@ -1063,7 +1063,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, @@ -1784,7 +1784,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone-strict/horizontalpodautoscalerlist.json b/master-standalone-strict/horizontalpodautoscalerlist.json index 6e1d0c410f88ec7c2bbc925a03fa8a7d5eec1d76..ae0548c3df1a2a654cb1a0cca4e81b2076ce56ad 100644 --- a/master-standalone-strict/horizontalpodautoscalerlist.json +++ b/master-standalone-strict/horizontalpodautoscalerlist.json @@ -1057,7 +1057,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, @@ -1778,7 +1778,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone-strict/horizontalpodautoscalerspec-autoscaling-v2.json b/master-standalone-strict/horizontalpodautoscalerspec-autoscaling-v2.json index b447c7802fea91a7b92031297acfd4f7ca9bcb34..86cb2eb813c9e1da58e024bed4743184ca0af499 100644 --- a/master-standalone-strict/horizontalpodautoscalerspec-autoscaling-v2.json +++ b/master-standalone-strict/horizontalpodautoscalerspec-autoscaling-v2.json @@ -775,7 +775,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone-strict/horizontalpodautoscalerspec.json b/master-standalone-strict/horizontalpodautoscalerspec.json index b447c7802fea91a7b92031297acfd4f7ca9bcb34..86cb2eb813c9e1da58e024bed4743184ca0af499 100644 --- a/master-standalone-strict/horizontalpodautoscalerspec.json +++ b/master-standalone-strict/horizontalpodautoscalerspec.json @@ -775,7 +775,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone-strict/horizontalpodautoscalerstatus-autoscaling-v2.json b/master-standalone-strict/horizontalpodautoscalerstatus-autoscaling-v2.json index aaf16d286654133ac601e159ba0da8aa033b4ca2..04eb5689370b803485fd886d4983812d31a90891 100644 --- a/master-standalone-strict/horizontalpodautoscalerstatus-autoscaling-v2.json +++ b/master-standalone-strict/horizontalpodautoscalerstatus-autoscaling-v2.json @@ -655,7 +655,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone-strict/horizontalpodautoscalerstatus.json b/master-standalone-strict/horizontalpodautoscalerstatus.json index aaf16d286654133ac601e159ba0da8aa033b4ca2..04eb5689370b803485fd886d4983812d31a90891 100644 --- a/master-standalone-strict/horizontalpodautoscalerstatus.json +++ b/master-standalone-strict/horizontalpodautoscalerstatus.json @@ -655,7 +655,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone-strict/jsonpatch-admissionregistration-v1alpha1.json b/master-standalone-strict/jsonpatch-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..3827a850ca8477e7347e6d8b50aebc84ab0b6ab3 --- /dev/null +++ b/master-standalone-strict/jsonpatch-admissionregistration-v1alpha1.json @@ -0,0 +1,15 @@ +{ + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/jsonpatch.json b/master-standalone-strict/jsonpatch.json new file mode 100644 index 0000000000000000000000000000000000000000..3827a850ca8477e7347e6d8b50aebc84ab0b6ab3 --- /dev/null +++ b/master-standalone-strict/jsonpatch.json @@ -0,0 +1,15 @@ +{ + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/limitedprioritylevelconfiguration-flowcontrol-v1beta3.json b/master-standalone-strict/limitedprioritylevelconfiguration-flowcontrol-v1beta3.json deleted file mode 100644 index bce5fdd2cb0f885d92cb838077e5801a22397df1..0000000000000000000000000000000000000000 --- a/master-standalone-strict/limitedprioritylevelconfiguration-flowcontrol-v1beta3.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", - "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "limitResponse": { - "description": "LimitResponse defines how to handle requests that can not be executed right now.", - "properties": { - "queuing": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ], - "additionalProperties": false - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/limitedprioritylevelconfiguration.json b/master-standalone-strict/limitedprioritylevelconfiguration.json index bce5fdd2cb0f885d92cb838077e5801a22397df1..3a1a34677eab7806672ad540b580d084a9f46262 100644 --- a/master-standalone-strict/limitedprioritylevelconfiguration.json +++ b/master-standalone-strict/limitedprioritylevelconfiguration.json @@ -77,7 +77,7 @@ "additionalProperties": false }, "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", + "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)", "format": "int32", "type": [ "integer", diff --git a/master-standalone-strict/limitresponse-flowcontrol-v1beta3.json b/master-standalone-strict/limitresponse-flowcontrol-v1beta3.json deleted file mode 100644 index d6cd0312fbb39d0fce076a266752a2f686c918c0..0000000000000000000000000000000000000000 --- a/master-standalone-strict/limitresponse-flowcontrol-v1beta3.json +++ /dev/null @@ -1,60 +0,0 @@ -{ - "description": "LimitResponse defines how to handle requests that can not be executed right now.", - "properties": { - "queuing": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "type" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ], - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/localvolumesource-v1.json b/master-standalone-strict/localvolumesource-v1.json index 96234ac2db045574b8ba6f8e441e2c78acef1bca..9316c372174add4311edc71a9a20fc783959cca5 100644 --- a/master-standalone-strict/localvolumesource-v1.json +++ b/master-standalone-strict/localvolumesource-v1.json @@ -1,5 +1,5 @@ { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/localvolumesource.json b/master-standalone-strict/localvolumesource.json index 96234ac2db045574b8ba6f8e441e2c78acef1bca..9316c372174add4311edc71a9a20fc783959cca5 100644 --- a/master-standalone-strict/localvolumesource.json +++ b/master-standalone-strict/localvolumesource.json @@ -1,5 +1,5 @@ { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/metricspec-autoscaling-v2.json b/master-standalone-strict/metricspec-autoscaling-v2.json index b6a8d0ccb73711dbcece80333d94bc723d551cab..4c065bf59b6f45712e307b5ff50c1d0b1df21fb5 100644 --- a/master-standalone-strict/metricspec-autoscaling-v2.json +++ b/master-standalone-strict/metricspec-autoscaling-v2.json @@ -628,7 +628,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": [ "string", "null" diff --git a/master-standalone-strict/metricspec.json b/master-standalone-strict/metricspec.json index b6a8d0ccb73711dbcece80333d94bc723d551cab..4c065bf59b6f45712e307b5ff50c1d0b1df21fb5 100644 --- a/master-standalone-strict/metricspec.json +++ b/master-standalone-strict/metricspec.json @@ -628,7 +628,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": [ "string", "null" diff --git a/master-standalone-strict/metricstatus-autoscaling-v2.json b/master-standalone-strict/metricstatus-autoscaling-v2.json index 6bd18a3f9393e788bb341eb68d4d340533735fbf..fc8ca92ab2a6cebd4ef59c5384505c2021d09109 100644 --- a/master-standalone-strict/metricstatus-autoscaling-v2.json +++ b/master-standalone-strict/metricstatus-autoscaling-v2.json @@ -593,7 +593,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": [ "string", "null" diff --git a/master-standalone-strict/metricstatus.json b/master-standalone-strict/metricstatus.json index 6bd18a3f9393e788bb341eb68d4d340533735fbf..fc8ca92ab2a6cebd4ef59c5384505c2021d09109 100644 --- a/master-standalone-strict/metricstatus.json +++ b/master-standalone-strict/metricstatus.json @@ -593,7 +593,7 @@ "additionalProperties": false }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": [ "string", "null" diff --git a/master-standalone-strict/validatingadmissionpolicy-admissionregistration-v1alpha1.json b/master-standalone-strict/mutatingadmissionpolicy-admissionregistration-v1alpha1.json similarity index 72% rename from master-standalone-strict/validatingadmissionpolicy-admissionregistration-v1alpha1.json rename to master-standalone-strict/mutatingadmissionpolicy-admissionregistration-v1alpha1.json index 7c51c298449cf3bf4b274c106fada4a9a8372ada..d2045c62869b83b2bb8c40de01aa70f216d05878 100644 --- a/master-standalone-strict/validatingadmissionpolicy-admissionregistration-v1alpha1.json +++ b/master-standalone-strict/mutatingadmissionpolicy-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.", + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -18,7 +18,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicy" + "MutatingAdmissionPolicy" ] }, "metadata": { @@ -275,47 +275,17 @@ "additionalProperties": false }, "spec": { - "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", "properties": { - "auditAnnotations": { - "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", - "items": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", - "type": "string" - } - }, - "required": [ - "key", - "valueExpression" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, "failurePolicy": { - "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", "type": [ "string", "null" ] }, "matchConditions": { - "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", "items": { "properties": { "expression": { @@ -694,6 +664,65 @@ "x-kubernetes-map-type": "atomic", "additionalProperties": false }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": "string" + } + }, + "required": [ + "patchType" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, "paramKind": { "description": "ParamKind is a tuple of Group Kind and Version.", "properties": { @@ -719,54 +748,15 @@ "x-kubernetes-map-type": "atomic", "additionalProperties": false }, - "validations": { - "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", - "items": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": [ - "string", - "null" - ] - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "expression" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", "type": [ - "array", + "string", "null" - ], - "x-kubernetes-list-type": "atomic" + ] }, "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", "items": { "description": "Variable is the definition of a variable that is used for composition.", "properties": { @@ -793,127 +783,7 @@ "array", "null" ], - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "status": { - "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.", - "properties": { - "conditions": { - "description": "The conditions represent the latest available observations of a policy's current state.", - "items": { - "description": "Condition contains details for one aspect of the current state of this API Resource.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": "string" - }, - "message": { - "description": "message is a human readable message indicating details about the transition. This may be an empty string.", - "type": "string" - }, - "observedGeneration": { - "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "reason": { - "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", - "type": "string" - }, - "status": { - "description": "status of the condition, one of True, False, Unknown.", - "type": "string" - }, - "type": { - "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", - "type": "string" - } - }, - "required": [ - "type", - "status", - "lastTransitionTime", - "reason", - "message" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "The generation observed by the controller.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "typeChecking": { - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "description": "ExpressionWarning is a warning information that targets a specific expression.", - "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": "string" - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", - "type": "string" - } - }, - "required": [ - "fieldRef", - "warning" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false + "x-kubernetes-list-type": "atomic" } }, "type": [ @@ -927,7 +797,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicy", + "kind": "MutatingAdmissionPolicy", "version": "v1alpha1" } ], diff --git a/master-standalone-strict/mutatingadmissionpolicy.json b/master-standalone-strict/mutatingadmissionpolicy.json new file mode 100644 index 0000000000000000000000000000000000000000..651521f4f3c6765dd8a4282150545acb0611f19d --- /dev/null +++ b/master-standalone-strict/mutatingadmissionpolicy.json @@ -0,0 +1,803 @@ +{ + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicy" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "spec": { + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", + "properties": { + "failurePolicy": { + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "type": [ + "string", + "null" + ] + }, + "matchConditions": { + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "items": { + "properties": { + "expression": { + "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.", + "type": "string" + }, + "name": { + "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "matchConstraints": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", + "type": [ + "string", + "null" + ] + }, + "namespaceSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "objectSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": "string" + } + }, + "required": [ + "patchType" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "paramKind": { + "description": "ParamKind is a tuple of Group Kind and Version.", + "properties": { + "apiVersion": { + "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is the API kind the resources belong to. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": [ + "string", + "null" + ] + }, + "variables": { + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", + "items": { + "description": "Variable is the definition of a variable that is used for composition.", + "properties": { + "expression": { + "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", + "type": "string" + }, + "name": { + "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicy", + "version": "v1alpha1" + } + ], + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/validatingadmissionpolicybinding-admissionregistration-v1alpha1.json b/master-standalone-strict/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json similarity index 91% rename from master-standalone-strict/validatingadmissionpolicybinding-admissionregistration-v1alpha1.json rename to master-standalone-strict/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json index 8a04d2df655554b2cc6706f25571f4220869f1a8..5d8fe8efc63d665cdabd8352586380f49491a2b6 100644 --- a/master-standalone-strict/validatingadmissionpolicybinding-admissionregistration-v1alpha1.json +++ b/master-standalone-strict/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -18,7 +18,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyBinding" + "MutatingAdmissionPolicyBinding" ] }, "metadata": { @@ -275,7 +275,7 @@ "additionalProperties": false }, "spec": { - "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", "properties": { "matchResources": { "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", @@ -724,25 +724,11 @@ "additionalProperties": false }, "policyName": { - "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", "type": [ "string", "null" ] - }, - "validationActions": { - "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" } }, "type": [ @@ -756,7 +742,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBinding", + "kind": "MutatingAdmissionPolicyBinding", "version": "v1alpha1" } ], diff --git a/master-standalone-strict/mutatingadmissionpolicybinding.json b/master-standalone-strict/mutatingadmissionpolicybinding.json new file mode 100644 index 0000000000000000000000000000000000000000..e86659efdcc6a56c116299785f24f2b3f992c390 --- /dev/null +++ b/master-standalone-strict/mutatingadmissionpolicybinding.json @@ -0,0 +1,748 @@ +{ + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyBinding" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "spec": { + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", + "properties": { + "matchResources": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", + "type": [ + "string", + "null" + ] + }, + "namespaceSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "objectSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "paramRef": { + "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", + "properties": { + "name": { + "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", + "type": [ + "string", + "null" + ] + }, + "parameterNotFoundAction": { + "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", + "type": [ + "string", + "null" + ] + }, + "selector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "policyName": { + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyBinding", + "version": "v1alpha1" + } + ], + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/validatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json b/master-standalone-strict/mutatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json similarity index 92% rename from master-standalone-strict/validatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json rename to master-standalone-strict/mutatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json index 61d3029e9e7b17a9bf285791220bab7f8b956acb..82c0c37846c834e3e48a092281f730724c4caf7b 100644 --- a/master-standalone-strict/validatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json +++ b/master-standalone-strict/mutatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.", + "description": "MutatingAdmissionPolicyBindingList is a list of MutatingAdmissionPolicyBinding.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14,7 +14,7 @@ "items": { "description": "List of PolicyBinding.", "items": { - "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -33,7 +33,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyBinding" + "MutatingAdmissionPolicyBinding" ] }, "metadata": { @@ -290,7 +290,7 @@ "additionalProperties": false }, "spec": { - "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", "properties": { "matchResources": { "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", @@ -739,25 +739,11 @@ "additionalProperties": false }, "policyName": { - "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", "type": [ "string", "null" ] - }, - "validationActions": { - "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" } }, "type": [ @@ -774,7 +760,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBinding", + "kind": "MutatingAdmissionPolicyBinding", "version": "v1alpha1" } ], @@ -792,7 +778,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyBindingList" + "MutatingAdmissionPolicyBindingList" ] }, "metadata": { @@ -842,7 +828,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBindingList", + "kind": "MutatingAdmissionPolicyBindingList", "version": "v1alpha1" } ], diff --git a/master-standalone-strict/mutatingadmissionpolicybindinglist.json b/master-standalone-strict/mutatingadmissionpolicybindinglist.json new file mode 100644 index 0000000000000000000000000000000000000000..4ce7ba65897a54761adb841dd77d94f21cf0eb9a --- /dev/null +++ b/master-standalone-strict/mutatingadmissionpolicybindinglist.json @@ -0,0 +1,831 @@ +{ + "description": "MutatingAdmissionPolicyBindingList is a list of MutatingAdmissionPolicyBinding.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "items": { + "description": "List of PolicyBinding.", + "items": { + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyBinding" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "spec": { + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", + "properties": { + "matchResources": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", + "type": [ + "string", + "null" + ] + }, + "namespaceSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "objectSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "paramRef": { + "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", + "properties": { + "name": { + "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", + "type": [ + "string", + "null" + ] + }, + "parameterNotFoundAction": { + "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", + "type": [ + "string", + "null" + ] + }, + "selector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "policyName": { + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyBinding", + "version": "v1alpha1" + } + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyBindingList" + ] + }, + "metadata": { + "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", + "properties": { + "continue": { + "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", + "type": [ + "string", + "null" + ] + }, + "remainingItemCount": { + "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "resourceVersion": { + "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyBindingList", + "version": "v1alpha1" + } + ], + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/validatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json b/master-standalone-strict/mutatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json similarity index 88% rename from master-standalone-strict/validatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json rename to master-standalone-strict/mutatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json index 79cc022b1b8a98ffda328d3e6bbeb52a6a2cb8cf..9ac5429129ff272debd0305ce15208e44ecec408 100644 --- a/master-standalone-strict/validatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json +++ b/master-standalone-strict/mutatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", "properties": { "matchResources": { "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", @@ -448,25 +448,11 @@ "additionalProperties": false }, "policyName": { - "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", "type": [ "string", "null" ] - }, - "validationActions": { - "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" } }, "type": "object", diff --git a/master-standalone-strict/mutatingadmissionpolicybindingspec.json b/master-standalone-strict/mutatingadmissionpolicybindingspec.json new file mode 100644 index 0000000000000000000000000000000000000000..9ac5429129ff272debd0305ce15208e44ecec408 --- /dev/null +++ b/master-standalone-strict/mutatingadmissionpolicybindingspec.json @@ -0,0 +1,461 @@ +{ + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", + "properties": { + "matchResources": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", + "type": [ + "string", + "null" + ] + }, + "namespaceSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "objectSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "paramRef": { + "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", + "properties": { + "name": { + "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", + "type": [ + "string", + "null" + ] + }, + "parameterNotFoundAction": { + "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", + "type": [ + "string", + "null" + ] + }, + "selector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "policyName": { + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/validatingadmissionpolicylist-admissionregistration-v1alpha1.json b/master-standalone-strict/mutatingadmissionpolicylist-admissionregistration-v1alpha1.json similarity index 74% rename from master-standalone-strict/validatingadmissionpolicylist-admissionregistration-v1alpha1.json rename to master-standalone-strict/mutatingadmissionpolicylist-admissionregistration-v1alpha1.json index 967e8964a186f558413f8cacb08a927ab55c0a29..6b894ba5062470f94f5e0a5a197b274d221607bc 100644 --- a/master-standalone-strict/validatingadmissionpolicylist-admissionregistration-v1alpha1.json +++ b/master-standalone-strict/mutatingadmissionpolicylist-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.", + "description": "MutatingAdmissionPolicyList is a list of MutatingAdmissionPolicy.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14,7 +14,7 @@ "items": { "description": "List of ValidatingAdmissionPolicy.", "items": { - "description": "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.", + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -33,7 +33,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicy" + "MutatingAdmissionPolicy" ] }, "metadata": { @@ -290,47 +290,17 @@ "additionalProperties": false }, "spec": { - "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", "properties": { - "auditAnnotations": { - "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", - "items": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", - "type": "string" - } - }, - "required": [ - "key", - "valueExpression" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, "failurePolicy": { - "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", "type": [ "string", "null" ] }, "matchConditions": { - "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", "items": { "properties": { "expression": { @@ -709,6 +679,65 @@ "x-kubernetes-map-type": "atomic", "additionalProperties": false }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": "string" + } + }, + "required": [ + "patchType" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, "paramKind": { "description": "ParamKind is a tuple of Group Kind and Version.", "properties": { @@ -734,54 +763,15 @@ "x-kubernetes-map-type": "atomic", "additionalProperties": false }, - "validations": { - "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", - "items": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": [ - "string", - "null" - ] - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "expression" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", "type": [ - "array", + "string", "null" - ], - "x-kubernetes-list-type": "atomic" + ] }, "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", "items": { "description": "Variable is the definition of a variable that is used for composition.", "properties": { @@ -808,127 +798,7 @@ "array", "null" ], - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "status": { - "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.", - "properties": { - "conditions": { - "description": "The conditions represent the latest available observations of a policy's current state.", - "items": { - "description": "Condition contains details for one aspect of the current state of this API Resource.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": "string" - }, - "message": { - "description": "message is a human readable message indicating details about the transition. This may be an empty string.", - "type": "string" - }, - "observedGeneration": { - "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "reason": { - "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", - "type": "string" - }, - "status": { - "description": "status of the condition, one of True, False, Unknown.", - "type": "string" - }, - "type": { - "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", - "type": "string" - } - }, - "required": [ - "type", - "status", - "lastTransitionTime", - "reason", - "message" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "The generation observed by the controller.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "typeChecking": { - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "description": "ExpressionWarning is a warning information that targets a specific expression.", - "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": "string" - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", - "type": "string" - } - }, - "required": [ - "fieldRef", - "warning" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false + "x-kubernetes-list-type": "atomic" } }, "type": [ @@ -945,7 +815,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicy", + "kind": "MutatingAdmissionPolicy", "version": "v1alpha1" } ], @@ -963,7 +833,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyList" + "MutatingAdmissionPolicyList" ] }, "metadata": { @@ -1013,7 +883,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyList", + "kind": "MutatingAdmissionPolicyList", "version": "v1alpha1" } ], diff --git a/master-standalone-strict/mutatingadmissionpolicylist.json b/master-standalone-strict/mutatingadmissionpolicylist.json new file mode 100644 index 0000000000000000000000000000000000000000..08dd9ba70ea92a3bc51d23ae55f50eed025ee966 --- /dev/null +++ b/master-standalone-strict/mutatingadmissionpolicylist.json @@ -0,0 +1,886 @@ +{ + "description": "MutatingAdmissionPolicyList is a list of MutatingAdmissionPolicy.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "items": { + "description": "List of ValidatingAdmissionPolicy.", + "items": { + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicy" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "spec": { + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", + "properties": { + "failurePolicy": { + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "type": [ + "string", + "null" + ] + }, + "matchConditions": { + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "items": { + "properties": { + "expression": { + "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.", + "type": "string" + }, + "name": { + "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "matchConstraints": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", + "type": [ + "string", + "null" + ] + }, + "namespaceSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "objectSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": "string" + } + }, + "required": [ + "patchType" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "paramKind": { + "description": "ParamKind is a tuple of Group Kind and Version.", + "properties": { + "apiVersion": { + "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is the API kind the resources belong to. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": [ + "string", + "null" + ] + }, + "variables": { + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", + "items": { + "description": "Variable is the definition of a variable that is used for composition.", + "properties": { + "expression": { + "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", + "type": "string" + }, + "name": { + "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicy", + "version": "v1alpha1" + } + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyList" + ] + }, + "metadata": { + "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", + "properties": { + "continue": { + "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", + "type": [ + "string", + "null" + ] + }, + "remainingItemCount": { + "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "resourceVersion": { + "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyList", + "version": "v1alpha1" + } + ], + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/validatingadmissionpolicyspec-admissionregistration-v1alpha1.json b/master-standalone-strict/mutatingadmissionpolicyspec-admissionregistration-v1alpha1.json similarity index 69% rename from master-standalone-strict/validatingadmissionpolicyspec-admissionregistration-v1alpha1.json rename to master-standalone-strict/mutatingadmissionpolicyspec-admissionregistration-v1alpha1.json index 1157556e013c9bc29490a0516a2e2de136e64687..8d2da03b0ad7ffb4732cd2c94e6adf3115301f16 100644 --- a/master-standalone-strict/validatingadmissionpolicyspec-admissionregistration-v1alpha1.json +++ b/master-standalone-strict/mutatingadmissionpolicyspec-admissionregistration-v1alpha1.json @@ -1,45 +1,15 @@ { - "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", "properties": { - "auditAnnotations": { - "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", - "items": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", - "type": "string" - } - }, - "required": [ - "key", - "valueExpression" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, "failurePolicy": { - "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", "type": [ "string", "null" ] }, "matchConditions": { - "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", "items": { "properties": { "expression": { @@ -418,6 +388,65 @@ "x-kubernetes-map-type": "atomic", "additionalProperties": false }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": "string" + } + }, + "required": [ + "patchType" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, "paramKind": { "description": "ParamKind is a tuple of Group Kind and Version.", "properties": { @@ -443,54 +472,15 @@ "x-kubernetes-map-type": "atomic", "additionalProperties": false }, - "validations": { - "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", - "items": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": [ - "string", - "null" - ] - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "expression" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", "type": [ - "array", + "string", "null" - ], - "x-kubernetes-list-type": "atomic" + ] }, "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", "items": { "description": "Variable is the definition of a variable that is used for composition.", "properties": { @@ -517,12 +507,7 @@ "array", "null" ], - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" + "x-kubernetes-list-type": "atomic" } }, "type": "object", diff --git a/master-standalone-strict/mutatingadmissionpolicyspec.json b/master-standalone-strict/mutatingadmissionpolicyspec.json new file mode 100644 index 0000000000000000000000000000000000000000..8d2da03b0ad7ffb4732cd2c94e6adf3115301f16 --- /dev/null +++ b/master-standalone-strict/mutatingadmissionpolicyspec.json @@ -0,0 +1,516 @@ +{ + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", + "properties": { + "failurePolicy": { + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "type": [ + "string", + "null" + ] + }, + "matchConditions": { + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "items": { + "properties": { + "expression": { + "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.", + "type": "string" + }, + "name": { + "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "matchConstraints": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", + "type": [ + "string", + "null" + ] + }, + "namespaceSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "objectSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": "string" + } + }, + "required": [ + "patchType" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "paramKind": { + "description": "ParamKind is a tuple of Group Kind and Version.", + "properties": { + "apiVersion": { + "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is the API kind the resources belong to. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": [ + "string", + "null" + ] + }, + "variables": { + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", + "items": { + "description": "Variable is the definition of a variable that is used for composition.", + "properties": { + "expression": { + "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", + "type": "string" + }, + "name": { + "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/mutation-admissionregistration-v1alpha1.json b/master-standalone-strict/mutation-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..ebdb64106accacc39e03beb07e0f9bc0a6565448 --- /dev/null +++ b/master-standalone-strict/mutation-admissionregistration-v1alpha1.json @@ -0,0 +1,52 @@ +{ + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "patchType" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/mutation.json b/master-standalone-strict/mutation.json new file mode 100644 index 0000000000000000000000000000000000000000..ebdb64106accacc39e03beb07e0f9bc0a6565448 --- /dev/null +++ b/master-standalone-strict/mutation.json @@ -0,0 +1,52 @@ +{ + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "patchType" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/nonresourcepolicyrule-flowcontrol-v1beta3.json b/master-standalone-strict/nonresourcepolicyrule-flowcontrol-v1beta3.json deleted file mode 100644 index 0466e41f0cc6e8867e430572e4928ad001079016..0000000000000000000000000000000000000000 --- a/master-standalone-strict/nonresourcepolicyrule-flowcontrol-v1beta3.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", - "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "nonResourceURLs" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/opaquedeviceconfiguration-resource-v1beta1.json b/master-standalone-strict/opaquedeviceconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..b0054592504870f3874043f1b2fea6472b7ada7f --- /dev/null +++ b/master-standalone-strict/opaquedeviceconfiguration-resource-v1beta1.json @@ -0,0 +1,26 @@ +{ + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": [ + "string", + "null" + ] + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": [ + "object", + "null" + ] + } + }, + "required": [ + "driver", + "parameters" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/persistentvolume-v1.json b/master-standalone-strict/persistentvolume-v1.json index bdae2190acec551a0abe7b2d618f25434a8f9dde..822fc8469aadf2e09cced40151e93b042705b758 100644 --- a/master-standalone-strict/persistentvolume-v1.json +++ b/master-standalone-strict/persistentvolume-v1.json @@ -633,7 +633,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1168,7 +1168,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/persistentvolume.json b/master-standalone-strict/persistentvolume.json index 5b6c127bcc86014522e87a44011f46aa80c5cfb7..fdf420a942298b1dc545b62caa2118429532c0d3 100644 --- a/master-standalone-strict/persistentvolume.json +++ b/master-standalone-strict/persistentvolume.json @@ -630,7 +630,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1165,7 +1165,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/persistentvolumelist-v1.json b/master-standalone-strict/persistentvolumelist-v1.json index b024d271cb4bf9a2822328e6f0d273bb139315c4..ea41bf883559ae7a05036b1d3ab7cfc7eafc8771 100644 --- a/master-standalone-strict/persistentvolumelist-v1.json +++ b/master-standalone-strict/persistentvolumelist-v1.json @@ -648,7 +648,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1183,7 +1183,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/persistentvolumelist.json b/master-standalone-strict/persistentvolumelist.json index bff821716697e27ae5245f8bfc4576fe3508ee3a..ef034195ff1eccf520b4da37e25a03f5b808f62c 100644 --- a/master-standalone-strict/persistentvolumelist.json +++ b/master-standalone-strict/persistentvolumelist.json @@ -642,7 +642,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1177,7 +1177,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/persistentvolumespec-v1.json b/master-standalone-strict/persistentvolumespec-v1.json index b6abb8e28b0a99d1a602c5e331a90c17c64194ff..2206b2e9c27331f4a02d7ac8b77884b413d993e1 100644 --- a/master-standalone-strict/persistentvolumespec-v1.json +++ b/master-standalone-strict/persistentvolumespec-v1.json @@ -357,7 +357,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -892,7 +892,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/persistentvolumespec.json b/master-standalone-strict/persistentvolumespec.json index b6abb8e28b0a99d1a602c5e331a90c17c64194ff..2206b2e9c27331f4a02d7ac8b77884b413d993e1 100644 --- a/master-standalone-strict/persistentvolumespec.json +++ b/master-standalone-strict/persistentvolumespec.json @@ -357,7 +357,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -892,7 +892,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/pod-v1.json b/master-standalone-strict/pod-v1.json index 665444525922f80e3995111c9b5f250aaadbf06f..64fc007a3d254eb9bdd306e4d9101c212b9b511e 100644 --- a/master-standalone-strict/pod-v1.json +++ b/master-standalone-strict/pod-v1.json @@ -10469,7 +10469,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -11035,7 +11035,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -11635,7 +11635,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { diff --git a/master-standalone-strict/pod.json b/master-standalone-strict/pod.json index 47f8005d0ead537bb8df35a8f62dc1a86c78a5f0..0b84b29222b87c2fca334bb5905dca204fc41886 100644 --- a/master-standalone-strict/pod.json +++ b/master-standalone-strict/pod.json @@ -10466,7 +10466,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -11032,7 +11032,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -11632,7 +11632,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { diff --git a/master-standalone-strict/podlist-v1.json b/master-standalone-strict/podlist-v1.json index e8b7bf143fc9f5e15178a4be73f3323e9bd2d8e8..f7f87e74bc8b9e720ae39c94b9e66e7305e2dfe1 100644 --- a/master-standalone-strict/podlist-v1.json +++ b/master-standalone-strict/podlist-v1.json @@ -10484,7 +10484,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -11050,7 +11050,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -11650,7 +11650,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { diff --git a/master-standalone-strict/podlist.json b/master-standalone-strict/podlist.json index 07fafa920970cd887f4662ec33e8d3744bc96896..3fa53c8062630033e4f1ab320391f8d8f5e3a811 100644 --- a/master-standalone-strict/podlist.json +++ b/master-standalone-strict/podlist.json @@ -10478,7 +10478,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -11044,7 +11044,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -11644,7 +11644,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { diff --git a/master-standalone-strict/podstatus-v1.json b/master-standalone-strict/podstatus-v1.json index f1a36453b287e7e8591aec27bf4328079bd02117..bfc39a167fbd1a223ce9b6ad8653c8b0185066fc 100644 --- a/master-standalone-strict/podstatus-v1.json +++ b/master-standalone-strict/podstatus-v1.json @@ -67,7 +67,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -633,7 +633,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -1233,7 +1233,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { diff --git a/master-standalone-strict/podstatus.json b/master-standalone-strict/podstatus.json index f1a36453b287e7e8591aec27bf4328079bd02117..bfc39a167fbd1a223ce9b6ad8653c8b0185066fc 100644 --- a/master-standalone-strict/podstatus.json +++ b/master-standalone-strict/podstatus.json @@ -67,7 +67,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -633,7 +633,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -1233,7 +1233,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { diff --git a/master-standalone-strict/policyruleswithsubjects-flowcontrol-v1beta3.json b/master-standalone-strict/policyruleswithsubjects-flowcontrol-v1beta3.json deleted file mode 100644 index 78ae3521b38561d0a5ef7e146c98b1a77e0d73a7..0000000000000000000000000000000000000000 --- a/master-standalone-strict/policyruleswithsubjects-flowcontrol-v1beta3.json +++ /dev/null @@ -1,223 +0,0 @@ -{ - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", - "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", - "items": { - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", - "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "nonResourceURLs" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", - "items": { - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", - "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": [ - "boolean", - "null" - ] - }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "apiGroups", - "resources" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", - "items": { - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", - "properties": { - "group": { - "description": "GroupSubject holds detailed information for group-kind subject.", - "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": "string" - }, - "serviceAccount": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", - "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", - "type": "string" - }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": "string" - } - }, - "required": [ - "namespace", - "name" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "user": { - "description": "UserSubject holds detailed information for user-kind subject.", - "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - } - }, - "required": [ - "kind" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } - } - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "subjects" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/prioritylevelconfiguration.json b/master-standalone-strict/prioritylevelconfiguration.json index 7a1690bfeef95bfc0716a79943301ed6c78fde76..2d1ad3f29b6fe4815ebc105b0e808e7f614b6c28 100644 --- a/master-standalone-strict/prioritylevelconfiguration.json +++ b/master-standalone-strict/prioritylevelconfiguration.json @@ -379,7 +379,7 @@ "additionalProperties": false }, "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", + "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)", "format": "int32", "type": [ "integer", @@ -491,7 +491,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "PriorityLevelConfiguration", - "version": "v1beta3" + "version": "v1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/prioritylevelconfigurationcondition-flowcontrol-v1beta3.json b/master-standalone-strict/prioritylevelconfigurationcondition-flowcontrol-v1beta3.json deleted file mode 100644 index 2470a491ee0035f4363cd614830e31af24d7653d..0000000000000000000000000000000000000000 --- a/master-standalone-strict/prioritylevelconfigurationcondition-flowcontrol-v1beta3.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/prioritylevelconfigurationlist-flowcontrol-v1beta3.json b/master-standalone-strict/prioritylevelconfigurationlist-flowcontrol-v1beta3.json deleted file mode 100644 index 587494b508cd8a41e8fe08c7cfa25d53a34c8f2d..0000000000000000000000000000000000000000 --- a/master-standalone-strict/prioritylevelconfigurationlist-flowcontrol-v1beta3.json +++ /dev/null @@ -1,588 +0,0 @@ -{ - "description": "PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" - ] - }, - "items": { - "description": "`items` is a list of request-priorities.", - "items": { - "description": "PriorityLevelConfiguration represents the configuration of a priority level.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "PriorityLevelConfiguration" - ] - }, - "metadata": { - "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", - "properties": { - "annotations": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", - "type": [ - "object", - "null" - ] - }, - "creationTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "deletionGracePeriodSeconds": { - "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "deletionTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "finalizers": { - "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set", - "x-kubernetes-patch-strategy": "merge" - }, - "generateName": { - "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", - "type": [ - "string", - "null" - ] - }, - "generation": { - "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "labels": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", - "type": [ - "object", - "null" - ] - }, - "managedFields": { - "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", - "items": { - "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", - "type": [ - "string", - "null" - ] - }, - "fieldsType": { - "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", - "type": [ - "string", - "null" - ] - }, - "fieldsV1": { - "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", - "type": [ - "object", - "null" - ] - }, - "manager": { - "description": "Manager is an identifier of the workflow managing these fields.", - "type": [ - "string", - "null" - ] - }, - "operation": { - "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", - "type": [ - "string", - "null" - ] - }, - "subresource": { - "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", - "type": [ - "string", - "null" - ] - }, - "time": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "name": { - "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": [ - "string", - "null" - ] - }, - "namespace": { - "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", - "type": [ - "string", - "null" - ] - }, - "ownerReferences": { - "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", - "items": { - "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", - "properties": { - "apiVersion": { - "description": "API version of the referent.", - "type": "string" - }, - "blockOwnerDeletion": { - "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", - "type": [ - "boolean", - "null" - ] - }, - "controller": { - "description": "If true, this reference points to the managing controller.", - "type": [ - "boolean", - "null" - ] - }, - "kind": { - "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "name": { - "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": "string" - }, - "uid": { - "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": "string" - } - }, - "required": [ - "apiVersion", - "kind", - "name", - "uid" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-map-type": "atomic", - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "uid" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "uid", - "x-kubernetes-patch-strategy": "merge" - }, - "resourceVersion": { - "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": [ - "string", - "null" - ] - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": [ - "string", - "null" - ] - }, - "uid": { - "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "spec": { - "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", - "properties": { - "exempt": { - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", - "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "limited": { - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", - "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "limitResponse": { - "description": "LimitResponse defines how to handle requests that can not be executed right now.", - "properties": { - "queuing": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ], - "additionalProperties": false - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": { - "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "exempt": "Exempt", - "limited": "Limited" - } - } - ], - "additionalProperties": false - }, - "status": { - "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", - "properties": { - "conditions": { - "description": "`conditions` is the current state of \"request-priority\".", - "items": { - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - } - }, - "type": [ - "object", - "null" - ], - "x-kubernetes-group-version-kind": [ - { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfiguration", - "version": "v1beta3" - } - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "PriorityLevelConfigurationList" - ] - }, - "metadata": { - "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", - "properties": { - "continue": { - "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", - "type": [ - "string", - "null" - ] - }, - "remainingItemCount": { - "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "resourceVersion": { - "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": [ - "string", - "null" - ] - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - } - }, - "required": [ - "items" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfigurationList", - "version": "v1beta3" - } - ], - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/prioritylevelconfigurationlist.json b/master-standalone-strict/prioritylevelconfigurationlist.json index 9b90344d6e11ad423dac1692e8a9ccaaa8786575..1ed352002453f07883d0a54cf517cd073be16ce5 100644 --- a/master-standalone-strict/prioritylevelconfigurationlist.json +++ b/master-standalone-strict/prioritylevelconfigurationlist.json @@ -391,7 +391,7 @@ "additionalProperties": false }, "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", + "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)", "format": "int32", "type": [ "integer", @@ -506,7 +506,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "PriorityLevelConfiguration", - "version": "v1beta3" + "version": "v1" } ], "additionalProperties": false @@ -574,7 +574,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "PriorityLevelConfigurationList", - "version": "v1beta3" + "version": "v1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/prioritylevelconfigurationreference-flowcontrol-v1beta3.json b/master-standalone-strict/prioritylevelconfigurationreference-flowcontrol-v1beta3.json deleted file mode 100644 index b4fcb4f9fff20f8b3f684ddbd2426d78aa006669..0000000000000000000000000000000000000000 --- a/master-standalone-strict/prioritylevelconfigurationreference-flowcontrol-v1beta3.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", - "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "name" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/prioritylevelconfigurationspec-flowcontrol-v1beta3.json b/master-standalone-strict/prioritylevelconfigurationspec-flowcontrol-v1beta3.json deleted file mode 100644 index c0a75a456ad6066609b39e0f5bf4105260d51dce..0000000000000000000000000000000000000000 --- a/master-standalone-strict/prioritylevelconfigurationspec-flowcontrol-v1beta3.json +++ /dev/null @@ -1,146 +0,0 @@ -{ - "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", - "properties": { - "exempt": { - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", - "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "limited": { - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", - "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "limitResponse": { - "description": "LimitResponse defines how to handle requests that can not be executed right now.", - "properties": { - "queuing": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ], - "additionalProperties": false - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": { - "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "type" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "exempt": "Exempt", - "limited": "Limited" - } - } - ], - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/prioritylevelconfigurationspec.json b/master-standalone-strict/prioritylevelconfigurationspec.json index c0a75a456ad6066609b39e0f5bf4105260d51dce..70bde20eb7bfc3fc0d30a42da66d65df4f04ce14 100644 --- a/master-standalone-strict/prioritylevelconfigurationspec.json +++ b/master-standalone-strict/prioritylevelconfigurationspec.json @@ -106,7 +106,7 @@ "additionalProperties": false }, "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", + "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)", "format": "int32", "type": [ "integer", diff --git a/master-standalone-strict/prioritylevelconfigurationstatus-flowcontrol-v1beta3.json b/master-standalone-strict/prioritylevelconfigurationstatus-flowcontrol-v1beta3.json deleted file mode 100644 index c01a0ee9c7dc9291f3637e910427355d00d00bf3..0000000000000000000000000000000000000000 --- a/master-standalone-strict/prioritylevelconfigurationstatus-flowcontrol-v1beta3.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", - "properties": { - "conditions": { - "description": "`conditions` is the current state of \"request-priority\".", - "items": { - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/queuingconfiguration-flowcontrol-v1beta3.json b/master-standalone-strict/queuingconfiguration-flowcontrol-v1beta3.json deleted file mode 100644 index dad60bb682f8339c72a38169178882578b840070..0000000000000000000000000000000000000000 --- a/master-standalone-strict/queuingconfiguration-flowcontrol-v1beta3.json +++ /dev/null @@ -1,32 +0,0 @@ -{ - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/resourceclaim-resource-v1beta1.json b/master-standalone-strict/resourceclaim-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..e7d484fa78ed8cc7cf7b60bcf5c476dff13f16de --- /dev/null +++ b/master-standalone-strict/resourceclaim-resource-v1beta1.json @@ -0,0 +1,794 @@ +{ + "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaim" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "spec": { + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", + "properties": { + "devices": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "status": { + "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", + "properties": { + "allocation": { + "description": "AllocationResult contains attributes of an allocated resource.", + "properties": { + "devices": { + "description": "DeviceAllocationResult is the result of allocating devices.", + "properties": { + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" + } + }, + "required": [ + "source" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results lists all allocated devices.", + "items": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "nodeSelectorTerms" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "reservedFor": { + "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", + "items": { + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", + "properties": { + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name is the name of resource being referenced.", + "type": "string" + }, + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": "string" + }, + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": "string" + } + }, + "required": [ + "resource", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaim", + "version": "v1beta1" + } + ], + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/resourceclaim.json b/master-standalone-strict/resourceclaim.json index 1e1e6671bba8576b10f248edf5c70abcf71eb663..bdfe446acb6751f221149bdde41b95a7008861e3 100644 --- a/master-standalone-strict/resourceclaim.json +++ b/master-standalone-strict/resourceclaim.json @@ -783,7 +783,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaim", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/resourceclaimconsumerreference-resource-v1beta1.json b/master-standalone-strict/resourceclaimconsumerreference-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..6e084cd1a22d45a70fa0e5d1a760b27968b6a6bf --- /dev/null +++ b/master-standalone-strict/resourceclaimconsumerreference-resource-v1beta1.json @@ -0,0 +1,41 @@ +{ + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", + "properties": { + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name is the name of resource being referenced.", + "type": [ + "string", + "null" + ] + }, + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "resource", + "name", + "uid" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/resourceclaimlist-resource-v1beta1.json b/master-standalone-strict/resourceclaimlist-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..86a64688b802ea6affac71b51f19abd622598163 --- /dev/null +++ b/master-standalone-strict/resourceclaimlist-resource-v1beta1.json @@ -0,0 +1,877 @@ +{ + "description": "ResourceClaimList is a collection of claims.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "items": { + "description": "Items is the list of resource claims.", + "items": { + "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaim" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "spec": { + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", + "properties": { + "devices": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", + "properties": { + "allocation": { + "description": "AllocationResult contains attributes of an allocated resource.", + "properties": { + "devices": { + "description": "DeviceAllocationResult is the result of allocating devices.", + "properties": { + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" + } + }, + "required": [ + "source" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results lists all allocated devices.", + "items": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "nodeSelectorTerms" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "reservedFor": { + "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", + "items": { + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", + "properties": { + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name is the name of resource being referenced.", + "type": "string" + }, + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": "string" + }, + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": "string" + } + }, + "required": [ + "resource", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaim", + "version": "v1beta1" + } + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaimList" + ] + }, + "metadata": { + "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", + "properties": { + "continue": { + "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", + "type": [ + "string", + "null" + ] + }, + "remainingItemCount": { + "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "resourceVersion": { + "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimList", + "version": "v1beta1" + } + ], + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/resourceclaimlist.json b/master-standalone-strict/resourceclaimlist.json index b0e7b8cece96026be2cfe69ae5b275987b3821a8..bdff30ac70888bb79a8f48e88752495ed9d1d699 100644 --- a/master-standalone-strict/resourceclaimlist.json +++ b/master-standalone-strict/resourceclaimlist.json @@ -795,7 +795,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaim", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false @@ -863,7 +863,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimList", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/resourceclaimspec-resource-v1beta1.json b/master-standalone-strict/resourceclaimspec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..e67bf6c8a8a9d4309442c66d710c7a1d239059f7 --- /dev/null +++ b/master-standalone-strict/resourceclaimspec-resource-v1beta1.json @@ -0,0 +1,198 @@ +{ + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", + "properties": { + "devices": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/resourceclaimstatus-resource-v1beta1.json b/master-standalone-strict/resourceclaimstatus-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..d2b75a43c9d2696690823a96e5a074d9ec520d97 --- /dev/null +++ b/master-standalone-strict/resourceclaimstatus-resource-v1beta1.json @@ -0,0 +1,301 @@ +{ + "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", + "properties": { + "allocation": { + "description": "AllocationResult contains attributes of an allocated resource.", + "properties": { + "devices": { + "description": "DeviceAllocationResult is the result of allocating devices.", + "properties": { + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" + } + }, + "required": [ + "source" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results lists all allocated devices.", + "items": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "nodeSelectorTerms" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "reservedFor": { + "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", + "items": { + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", + "properties": { + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name is the name of resource being referenced.", + "type": "string" + }, + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": "string" + }, + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": "string" + } + }, + "required": [ + "resource", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + } + }, + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/resourceclaimtemplate-resource-v1beta1.json b/master-standalone-strict/resourceclaimtemplate-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..313b0bf2480a6fe9767bfd63b1b3d2481e482efd --- /dev/null +++ b/master-standalone-strict/resourceclaimtemplate-resource-v1beta1.json @@ -0,0 +1,754 @@ +{ + "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaimTemplate" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "spec": { + "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", + "properties": { + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "spec": { + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", + "properties": { + "devices": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplate", + "version": "v1beta1" + } + ], + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/resourceclaimtemplate.json b/master-standalone-strict/resourceclaimtemplate.json index 4cfb5708470db0f5f1b4b8484884136a14f428ef..649e8ed7bdab39a77a127a8bd93170ab78f54003 100644 --- a/master-standalone-strict/resourceclaimtemplate.json +++ b/master-standalone-strict/resourceclaimtemplate.json @@ -743,7 +743,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplate", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/resourceclaimtemplatelist-resource-v1beta1.json b/master-standalone-strict/resourceclaimtemplatelist-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..eb3557cd862be59a4066371e4a5de6624ce6a5ab --- /dev/null +++ b/master-standalone-strict/resourceclaimtemplatelist-resource-v1beta1.json @@ -0,0 +1,837 @@ +{ + "description": "ResourceClaimTemplateList is a collection of claim templates.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "items": { + "description": "Items is the list of resource claim templates.", + "items": { + "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaimTemplate" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "spec": { + "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", + "properties": { + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "spec": { + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", + "properties": { + "devices": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "spec" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplate", + "version": "v1beta1" + } + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaimTemplateList" + ] + }, + "metadata": { + "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", + "properties": { + "continue": { + "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", + "type": [ + "string", + "null" + ] + }, + "remainingItemCount": { + "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "resourceVersion": { + "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplateList", + "version": "v1beta1" + } + ], + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/resourceclaimtemplatelist.json b/master-standalone-strict/resourceclaimtemplatelist.json index 9cf7102e6ac36d91f6da7b0a5d8f101020ea134f..0ecd12d7fb7bec0a7e2a14f487d3bcfbc90d21fc 100644 --- a/master-standalone-strict/resourceclaimtemplatelist.json +++ b/master-standalone-strict/resourceclaimtemplatelist.json @@ -755,7 +755,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplate", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false @@ -823,7 +823,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplateList", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/prioritylevelconfiguration-flowcontrol-v1beta3.json b/master-standalone-strict/resourceclaimtemplatespec-resource-v1beta1.json similarity index 53% rename from master-standalone-strict/prioritylevelconfiguration-flowcontrol-v1beta3.json rename to master-standalone-strict/resourceclaimtemplatespec-resource-v1beta1.json index ae1df7dad33b2f344142b6ac0b98688bd3717def..b5a82fc82cf06480f647e0efb958abdd643e7a17 100644 --- a/master-standalone-strict/prioritylevelconfiguration-flowcontrol-v1beta3.json +++ b/master-standalone-strict/resourceclaimtemplatespec-resource-v1beta1.json @@ -1,26 +1,6 @@ { - "description": "PriorityLevelConfiguration represents the configuration of a priority level.", + "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "PriorityLevelConfiguration" - ] - }, "metadata": { "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", "properties": { @@ -275,119 +255,190 @@ "additionalProperties": false }, "spec": { - "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", "properties": { - "exempt": { - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", - "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "limited": { - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", + "devices": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "limitResponse": { - "description": "LimitResponse defines how to handle requests that can not be executed right now.", - "properties": { - "queuing": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { "type": [ - "integer", + "string", "null" ] }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { "type": [ - "integer", + "string", "null" ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", - "type": "string" - } + "type": [ + "object", + "null" + ], + "additionalProperties": false }, - "required": [ - "type" - ], "type": [ - "object", + "array", "null" ], - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ], - "additionalProperties": false + "x-kubernetes-list-type": "atomic" }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, "type": [ - "integer", + "array", "null" - ] + ], + "x-kubernetes-list-type": "atomic" } }, "type": [ @@ -395,91 +446,6 @@ "null" ], "additionalProperties": false - }, - "type": { - "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "exempt": "Exempt", - "limited": "Limited" - } - } - ], - "additionalProperties": false - }, - "status": { - "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", - "properties": { - "conditions": { - "description": "`conditions` is the current state of \"request-priority\".", - "items": { - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" } }, "type": [ @@ -489,14 +455,10 @@ "additionalProperties": false } }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfiguration", - "version": "v1beta3" - } + "required": [ + "spec" ], + "type": "object", "additionalProperties": false, "$schema": "http://json-schema.org/schema#" } \ No newline at end of file diff --git a/master-standalone-strict/resourcepolicyrule-flowcontrol-v1beta3.json b/master-standalone-strict/resourcepolicyrule-flowcontrol-v1beta3.json deleted file mode 100644 index 252125a860831b0a5665a6c6ddf2c86d85b59188..0000000000000000000000000000000000000000 --- a/master-standalone-strict/resourcepolicyrule-flowcontrol-v1beta3.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", - "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": [ - "boolean", - "null" - ] - }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "apiGroups", - "resources" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/resourcepool-resource-v1beta1.json b/master-standalone-strict/resourcepool-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..2b21d88608a0c2c80217c0e97acd607a5a6fe229 --- /dev/null +++ b/master-standalone-strict/resourcepool-resource-v1beta1.json @@ -0,0 +1,36 @@ +{ + "description": "ResourcePool describes the pool that ResourceSlices belong to.", + "properties": { + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": [ + "integer", + "null" + ] + } + }, + "required": [ + "name", + "generation", + "resourceSliceCount" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/flowschema-flowcontrol-v1beta3.json b/master-standalone-strict/resourceslice-resource-v1beta1.json similarity index 56% rename from master-standalone-strict/flowschema-flowcontrol-v1beta3.json rename to master-standalone-strict/resourceslice-resource-v1beta1.json index 07a38aef5d2a9c3c0b989693a666013820f78629..edfa404132840564f2367139fa629d3056785721 100644 --- a/master-standalone-strict/flowschema-flowcontrol-v1beta3.json +++ b/master-standalone-strict/resourceslice-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".", + "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,7 +8,7 @@ "null" ], "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" + "resource.k8s.io/v1beta1" ] }, "kind": { @@ -18,7 +18,7 @@ "null" ], "enum": [ - "FlowSchema" + "ResourceSlice" ] }, "metadata": { @@ -275,188 +275,92 @@ "additionalProperties": false }, "spec": { - "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", + "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", "properties": { - "distinguisherMethod": { - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", - "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "matchingPrecedence": { - "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", - "format": "int32", + "allNodes": { + "description": "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set.", "type": [ - "integer", + "boolean", "null" ] }, - "priorityLevelConfiguration": { - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", - "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": "object", - "additionalProperties": false - }, - "rules": { - "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", + "devices": { + "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", "items": { - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", - "items": { - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", - "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "nonResourceURLs" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", - "items": { - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", - "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": [ - "boolean", - "null" - ] - }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", - "items": { - "type": [ - "string", - "null" - ] + "basic": { + "description": "BasicDevice defines one device instance.", + "properties": { + "attributes": { + "additionalProperties": { + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } }, "type": [ - "array", + "object", "null" ], - "x-kubernetes-list-type": "set" - }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" + "additionalProperties": false }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] }, - "required": [ - "verbs", - "apiGroups", - "resources" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", - "items": { - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", - "properties": { - "group": { - "description": "GroupSubject holds detailed information for group-kind subject.", + "capacity": { + "additionalProperties": { + "description": "DeviceCapacity describes a quantity associated with a device.", "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": "string" + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] } }, "required": [ - "name" + "value" ], "type": [ "object", @@ -464,25 +368,89 @@ ], "additionalProperties": false }, - "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": "string" - }, - "serviceAccount": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "driver": { + "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.", + "type": "string" + }, + "nodeName": { + "description": "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", + "key": { + "description": "The label key that the selector applies to.", "type": "string" }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" } }, "required": [ - "namespace", - "name" + "key", + "operator" ], "type": [ "object", @@ -490,135 +458,109 @@ ], "additionalProperties": false }, - "user": { - "description": "UserSubject holds detailed information for user-kind subject.", + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", + "key": { + "description": "The label key that the selector applies to.", "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" } }, "required": [ - "name" + "key", + "operator" ], "type": [ "object", "null" ], "additionalProperties": false - } - }, - "required": [ - "kind" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } - } - ], - "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "subjects" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "priorityLevelConfiguration" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "status": { - "description": "FlowSchemaStatus represents the current state of a FlowSchema.", - "properties": { - "conditions": { - "description": "`conditions` is a list of the current states of FlowSchema.", - "items": { - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", + "object", "null" - ] + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false + "type": "array", + "x-kubernetes-list-type": "atomic" + } }, + "required": [ + "nodeSelectorTerms" + ], "type": [ - "array", + "object", "null" ], - "x-kubernetes-list-map-keys": [ - "type" + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "pool": { + "description": "ResourcePool describes the pool that ResourceSlices belong to.", + "properties": { + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": "integer" + }, + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": "string" + }, + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "name", + "generation", + "resourceSliceCount" ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" + "type": "object", + "additionalProperties": false } }, + "required": [ + "driver", + "pool" + ], "type": [ "object", "null" @@ -626,12 +568,15 @@ "additionalProperties": false } }, + "required": [ + "spec" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchema", - "version": "v1beta3" + "group": "resource.k8s.io", + "kind": "ResourceSlice", + "version": "v1beta1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/resourceslice.json b/master-standalone-strict/resourceslice.json index e882b6b747e53b2e59879484dbc4cce2e66982b9..be3118207baa136b3b4a5d17ba2d54a41590a3c5 100644 --- a/master-standalone-strict/resourceslice.json +++ b/master-standalone-strict/resourceslice.json @@ -337,20 +337,33 @@ }, "capacity": { "additionalProperties": { - "oneOf": [ - { - "type": [ - "string", - "null" - ] - }, - { - "type": [ - "number", - "null" + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } ] } - ] + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": [ @@ -560,7 +573,7 @@ { "group": "resource.k8s.io", "kind": "ResourceSlice", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/flowschemalist-flowcontrol-v1beta3.json b/master-standalone-strict/resourceslicelist-resource-v1beta1.json similarity index 60% rename from master-standalone-strict/flowschemalist-flowcontrol-v1beta3.json rename to master-standalone-strict/resourceslicelist-resource-v1beta1.json index 9d5207d1f3914df5794eb597c95cda7e941e73ee..d6d06881efa0eebf34ea650b9359b85ba7007b02 100644 --- a/master-standalone-strict/flowschemalist-flowcontrol-v1beta3.json +++ b/master-standalone-strict/resourceslicelist-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "FlowSchemaList is a list of FlowSchema objects.", + "description": "ResourceSliceList is a collection of ResourceSlices.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,13 +8,13 @@ "null" ], "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" + "resource.k8s.io/v1beta1" ] }, "items": { - "description": "`items` is a list of FlowSchemas.", + "description": "Items is the list of resource ResourceSlices.", "items": { - "description": "FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".", + "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -23,7 +23,7 @@ "null" ], "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" + "resource.k8s.io/v1beta1" ] }, "kind": { @@ -33,7 +33,7 @@ "null" ], "enum": [ - "FlowSchema" + "ResourceSlice" ] }, "metadata": { @@ -290,188 +290,92 @@ "additionalProperties": false }, "spec": { - "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", + "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", "properties": { - "distinguisherMethod": { - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", - "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": "string" - } - }, - "required": [ - "type" - ], + "allNodes": { + "description": "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set.", "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "matchingPrecedence": { - "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", - "format": "int32", - "type": [ - "integer", + "boolean", "null" ] }, - "priorityLevelConfiguration": { - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", - "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": "object", - "additionalProperties": false - }, - "rules": { - "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", + "devices": { + "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", "items": { - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", - "items": { - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", - "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "nonResourceURLs" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", - "items": { - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", - "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": [ - "boolean", - "null" - ] - }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", - "items": { - "type": [ - "string", - "null" - ] + "basic": { + "description": "BasicDevice defines one device instance.", + "properties": { + "attributes": { + "additionalProperties": { + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } }, "type": [ - "array", + "object", "null" ], - "x-kubernetes-list-type": "set" - }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" + "additionalProperties": false }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] }, - "required": [ - "verbs", - "apiGroups", - "resources" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", - "items": { - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", - "properties": { - "group": { - "description": "GroupSubject holds detailed information for group-kind subject.", + "capacity": { + "additionalProperties": { + "description": "DeviceCapacity describes a quantity associated with a device.", "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": "string" + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] } }, "required": [ - "name" + "value" ], "type": [ "object", @@ -479,25 +383,89 @@ ], "additionalProperties": false }, - "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": "string" - }, - "serviceAccount": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "driver": { + "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.", + "type": "string" + }, + "nodeName": { + "description": "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", + "key": { + "description": "The label key that the selector applies to.", "type": "string" }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" } }, "required": [ - "namespace", - "name" + "key", + "operator" ], "type": [ "object", @@ -505,151 +473,125 @@ ], "additionalProperties": false }, - "user": { - "description": "UserSubject holds detailed information for user-kind subject.", + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" } }, "required": [ - "name" + "key", + "operator" ], "type": [ "object", "null" ], "additionalProperties": false - } - }, - "required": [ - "kind" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } - } - ], - "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "subjects" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "priorityLevelConfiguration" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "status": { - "description": "FlowSchemaStatus represents the current state of a FlowSchema.", - "properties": { - "conditions": { - "description": "`conditions` is a list of the current states of FlowSchema.", - "items": { - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", "type": [ - "string", + "object", "null" - ] + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false + "type": "array", + "x-kubernetes-list-type": "atomic" + } }, + "required": [ + "nodeSelectorTerms" + ], "type": [ - "array", + "object", "null" ], - "x-kubernetes-list-map-keys": [ - "type" + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "pool": { + "description": "ResourcePool describes the pool that ResourceSlices belong to.", + "properties": { + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": "integer" + }, + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": "string" + }, + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "name", + "generation", + "resourceSliceCount" ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" + "type": "object", + "additionalProperties": false } }, - "type": [ - "object", - "null" + "required": [ + "driver", + "pool" ], + "type": "object", "additionalProperties": false } }, + "required": [ + "spec" + ], "type": [ "object", "null" ], "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchema", - "version": "v1beta3" + "group": "resource.k8s.io", + "kind": "ResourceSlice", + "version": "v1beta1" } ], "additionalProperties": false @@ -666,7 +608,7 @@ "null" ], "enum": [ - "FlowSchemaList" + "ResourceSliceList" ] }, "metadata": { @@ -715,9 +657,9 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchemaList", - "version": "v1beta3" + "group": "resource.k8s.io", + "kind": "ResourceSliceList", + "version": "v1beta1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/resourceslicelist.json b/master-standalone-strict/resourceslicelist.json index 17ab83e9d0c9af581254156a86b2e1fb0d45c423..d5ec796335c5a59b2a3324bad8c1bb4f3fa3302a 100644 --- a/master-standalone-strict/resourceslicelist.json +++ b/master-standalone-strict/resourceslicelist.json @@ -349,20 +349,33 @@ }, "capacity": { "additionalProperties": { - "oneOf": [ - { - "type": [ - "string", - "null" - ] - }, - { - "type": [ - "number", - "null" + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } ] } - ] + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": [ @@ -572,7 +585,7 @@ { "group": "resource.k8s.io", "kind": "ResourceSlice", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false @@ -640,7 +653,7 @@ { "group": "resource.k8s.io", "kind": "ResourceSliceList", - "version": "v1alpha3" + "version": "v1beta1" } ], "additionalProperties": false, diff --git a/master-standalone-strict/resourceslicespec-resource-v1beta1.json b/master-standalone-strict/resourceslicespec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..e3f5ee4e92f40edd4e0f4ada331fc28dbbd33670 --- /dev/null +++ b/master-standalone-strict/resourceslicespec-resource-v1beta1.json @@ -0,0 +1,297 @@ +{ + "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", + "properties": { + "allNodes": { + "description": "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set.", + "type": [ + "boolean", + "null" + ] + }, + "devices": { + "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", + "items": { + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", + "properties": { + "basic": { + "description": "BasicDevice defines one device instance.", + "properties": { + "attributes": { + "additionalProperties": { + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + }, + "capacity": { + "additionalProperties": { + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] + } + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "driver": { + "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "nodeName": { + "description": "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "nodeSelectorTerms" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic", + "additionalProperties": false + }, + "pool": { + "description": "ResourcePool describes the pool that ResourceSlices belong to.", + "properties": { + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": "integer" + }, + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": "string" + }, + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "name", + "generation", + "resourceSliceCount" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false + } + }, + "required": [ + "driver", + "pool" + ], + "type": "object", + "additionalProperties": false, + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone-strict/resourceslicespec.json b/master-standalone-strict/resourceslicespec.json index 7b602022fb93606a24c48c9bf03d0ca40392f358..e3f5ee4e92f40edd4e0f4ada331fc28dbbd33670 100644 --- a/master-standalone-strict/resourceslicespec.json +++ b/master-standalone-strict/resourceslicespec.json @@ -64,20 +64,33 @@ }, "capacity": { "additionalProperties": { - "oneOf": [ - { - "type": [ - "string", - "null" - ] - }, - { - "type": [ - "number", - "null" + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } ] } - ] + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" + ], + "additionalProperties": false }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": [ diff --git a/master-standalone-strict/selfsubjectreviewstatus-authentication-v1alpha1.json b/master-standalone-strict/selfsubjectreviewstatus-authentication-v1alpha1.json deleted file mode 100644 index 7bc33ffe01c80cc1d131485ab6166971ef544908..0000000000000000000000000000000000000000 --- a/master-standalone-strict/selfsubjectreviewstatus-authentication-v1alpha1.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", - "properties": { - "userInfo": { - "description": "UserInfo holds the information about the user needed to implement the user.Info interface.", - "properties": { - "extra": { - "additionalProperties": { - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ] - }, - "description": "Any additional information provided by the authenticator.", - "type": [ - "object", - "null" - ] - }, - "groups": { - "description": "The names of groups this user is a part of.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "uid": { - "description": "A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.", - "type": [ - "string", - "null" - ] - }, - "username": { - "description": "The name that uniquely identifies this user among all active users.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - } - }, - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/serviceaccountsubject-flowcontrol-v1beta3.json b/master-standalone-strict/serviceaccountsubject-flowcontrol-v1beta3.json deleted file mode 100644 index f2915dbc71531ac24b58f58b2a11a297e74f615c..0000000000000000000000000000000000000000 --- a/master-standalone-strict/serviceaccountsubject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", - "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", - "type": [ - "string", - "null" - ] - }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "namespace", - "name" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/subject-flowcontrol-v1beta3.json b/master-standalone-strict/subject-flowcontrol-v1beta3.json deleted file mode 100644 index bf69bef2f64dbae4ffb4ebedc5d1bef905bec0b1..0000000000000000000000000000000000000000 --- a/master-standalone-strict/subject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,84 +0,0 @@ -{ - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", - "properties": { - "group": { - "description": "GroupSubject holds detailed information for group-kind subject.", - "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": [ - "string", - "null" - ] - }, - "serviceAccount": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", - "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", - "type": "string" - }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": "string" - } - }, - "required": [ - "namespace", - "name" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "user": { - "description": "UserSubject holds detailed information for user-kind subject.", - "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - } - }, - "required": [ - "kind" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } - } - ], - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/typechecking-admissionregistration-v1alpha1.json b/master-standalone-strict/typechecking-admissionregistration-v1alpha1.json deleted file mode 100644 index da07f75c8426926b1d34a59ee8f59aa4d3b35ba1..0000000000000000000000000000000000000000 --- a/master-standalone-strict/typechecking-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "description": "ExpressionWarning is a warning information that targets a specific expression.", - "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": "string" - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", - "type": "string" - } - }, - "required": [ - "fieldRef", - "warning" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/usersubject-flowcontrol-v1beta3.json b/master-standalone-strict/usersubject-flowcontrol-v1beta3.json deleted file mode 100644 index 09b55d5f6fe1a8537dccbf3bd9df87f9958ed5dd..0000000000000000000000000000000000000000 --- a/master-standalone-strict/usersubject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "description": "UserSubject holds detailed information for user-kind subject.", - "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "name" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/validatingadmissionpolicystatus-admissionregistration-v1alpha1.json b/master-standalone-strict/validatingadmissionpolicystatus-admissionregistration-v1alpha1.json deleted file mode 100644 index d571aa491de3c8c70efffcd55f9ce711cc2af3af..0000000000000000000000000000000000000000 --- a/master-standalone-strict/validatingadmissionpolicystatus-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,113 +0,0 @@ -{ - "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.", - "properties": { - "conditions": { - "description": "The conditions represent the latest available observations of a policy's current state.", - "items": { - "description": "Condition contains details for one aspect of the current state of this API Resource.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": "string" - }, - "message": { - "description": "message is a human readable message indicating details about the transition. This may be an empty string.", - "type": "string" - }, - "observedGeneration": { - "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "reason": { - "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", - "type": "string" - }, - "status": { - "description": "status of the condition, one of True, False, Unknown.", - "type": "string" - }, - "type": { - "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", - "type": "string" - } - }, - "required": [ - "type", - "status", - "lastTransitionTime", - "reason", - "message" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "The generation observed by the controller.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "typeChecking": { - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "description": "ExpressionWarning is a warning information that targets a specific expression.", - "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": "string" - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", - "type": "string" - } - }, - "required": [ - "fieldRef", - "warning" - ], - "type": [ - "object", - "null" - ], - "additionalProperties": false - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "type": [ - "object", - "null" - ], - "additionalProperties": false - } - }, - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/validation-admissionregistration-v1alpha1.json b/master-standalone-strict/validation-admissionregistration-v1alpha1.json deleted file mode 100644 index 5b24e0900b8ec0e42f379d44cba9be579ff3f9d1..0000000000000000000000000000000000000000 --- a/master-standalone-strict/validation-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": [ - "string", - "null" - ] - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "expression" - ], - "type": "object", - "additionalProperties": false, - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone-strict/volumeattachment-storage-v1.json b/master-standalone-strict/volumeattachment-storage-v1.json index caf1e99482d8d32f8e708c41d1992a293c05f2a8..22afda18aedeb9bd8f75d368a8a7c5b1f488c687 100644 --- a/master-standalone-strict/volumeattachment-storage-v1.json +++ b/master-standalone-strict/volumeattachment-storage-v1.json @@ -647,7 +647,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1182,7 +1182,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/volumeattachment.json b/master-standalone-strict/volumeattachment.json index 792f5c88b0ca70f8010052cd547298b4642ba82a..6c7aa867a8ef6b61bb1f7e6569c22fb546039513 100644 --- a/master-standalone-strict/volumeattachment.json +++ b/master-standalone-strict/volumeattachment.json @@ -644,7 +644,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1179,7 +1179,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/volumeattachmentlist-storage-v1.json b/master-standalone-strict/volumeattachmentlist-storage-v1.json index d2d8c8b3ace17e5d9e3217e79b1c829706053aa6..25ea36b6fa4f9826171c09547dd6a31fb6438fbc 100644 --- a/master-standalone-strict/volumeattachmentlist-storage-v1.json +++ b/master-standalone-strict/volumeattachmentlist-storage-v1.json @@ -662,7 +662,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1197,7 +1197,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/volumeattachmentlist.json b/master-standalone-strict/volumeattachmentlist.json index 4cd4465f0b173c1eaf6cb4bdc8d24a453f4bfa57..fa18766c28f190716bd0744d818c3f1455436789 100644 --- a/master-standalone-strict/volumeattachmentlist.json +++ b/master-standalone-strict/volumeattachmentlist.json @@ -656,7 +656,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1191,7 +1191,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/volumeattachmentsource-storage-v1.json b/master-standalone-strict/volumeattachmentsource-storage-v1.json index c2dd588f684ffa1b3829d7d48bb41802e46ce136..25099cb6751bce47c490841b6c1ee9f9507432a5 100644 --- a/master-standalone-strict/volumeattachmentsource-storage-v1.json +++ b/master-standalone-strict/volumeattachmentsource-storage-v1.json @@ -360,7 +360,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -895,7 +895,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/volumeattachmentsource.json b/master-standalone-strict/volumeattachmentsource.json index c2dd588f684ffa1b3829d7d48bb41802e46ce136..25099cb6751bce47c490841b6c1ee9f9507432a5 100644 --- a/master-standalone-strict/volumeattachmentsource.json +++ b/master-standalone-strict/volumeattachmentsource.json @@ -360,7 +360,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -895,7 +895,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/volumeattachmentspec-storage-v1.json b/master-standalone-strict/volumeattachmentspec-storage-v1.json index 85eb8b9bf8c864ac6c06be6bb4e7429e3ce65174..bbde18256cac83a7e735da626de64cbeb08125b5 100644 --- a/master-standalone-strict/volumeattachmentspec-storage-v1.json +++ b/master-standalone-strict/volumeattachmentspec-storage-v1.json @@ -377,7 +377,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -912,7 +912,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/volumeattachmentspec.json b/master-standalone-strict/volumeattachmentspec.json index 85eb8b9bf8c864ac6c06be6bb4e7429e3ce65174..bbde18256cac83a7e735da626de64cbeb08125b5 100644 --- a/master-standalone-strict/volumeattachmentspec.json +++ b/master-standalone-strict/volumeattachmentspec.json @@ -377,7 +377,7 @@ "additionalProperties": false }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -912,7 +912,7 @@ "additionalProperties": false }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone-strict/watchevent-meta-v1.json b/master-standalone-strict/watchevent-meta-v1.json index db2f01db10df64c102e4998aaa02156f226ac09a..8cc3b5fdca3bba54465bcb42bce0c71f9dd75085 100644 --- a/master-standalone-strict/watchevent-meta-v1.json +++ b/master-standalone-strict/watchevent-meta-v1.json @@ -286,6 +286,11 @@ "kind": "WatchEvent", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "WatchEvent", diff --git a/master-standalone-strict/watchevent.json b/master-standalone-strict/watchevent.json index db2f01db10df64c102e4998aaa02156f226ac09a..8cc3b5fdca3bba54465bcb42bce0c71f9dd75085 100644 --- a/master-standalone-strict/watchevent.json +++ b/master-standalone-strict/watchevent.json @@ -286,6 +286,11 @@ "kind": "WatchEvent", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "WatchEvent", diff --git a/master-standalone/_definitions.json b/master-standalone/_definitions.json index 1e23568e88836ddd945c01a812ddd4a5a4a36f19..46d37daa98de9d5a70bb96d28a60bc994c4167cb 100644 --- a/master-standalone/_definitions.json +++ b/master-standalone/_definitions.json @@ -890,40 +890,24 @@ }, "type": "object" }, - "io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", + "io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", "type": "string" } }, - "required": [ - "key", - "valueExpression" - ], "type": "object" }, - "io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning": { - "description": "ExpressionWarning is a warning information that targets a specific expression.", + "io.k8s.api.admissionregistration.v1alpha1.JSONPatch": { + "description": "JSONPatch defines a JSON Patch.", "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": "string" - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", "type": "string" } }, - "required": [ - "fieldRef", - "warning" - ], "type": "object" }, "io.k8s.api.admissionregistration.v1alpha1.MatchCondition": { @@ -978,111 +962,8 @@ "type": "object", "x-kubernetes-map-type": "atomic" }, - "io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations": { - "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", - "properties": { - "apiGroups": { - "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "apiVersions": { - "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "operations": { - "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resourceNames": { - "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resources": { - "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "scope": { - "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", - "type": "string" - } - }, - "type": "object", - "x-kubernetes-map-type": "atomic" - }, - "io.k8s.api.admissionregistration.v1alpha1.ParamKind": { - "description": "ParamKind is a tuple of Group Kind and Version.", - "properties": { - "apiVersion": { - "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", - "type": "string" - }, - "kind": { - "description": "Kind is the API kind the resources belong to. Required.", - "type": "string" - } - }, - "type": "object", - "x-kubernetes-map-type": "atomic" - }, - "io.k8s.api.admissionregistration.v1alpha1.ParamRef": { - "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", - "properties": { - "name": { - "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", - "type": "string" - }, - "namespace": { - "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", - "type": "string" - }, - "parameterNotFoundAction": { - "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", - "type": "string" - }, - "selector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset." - } - }, - "type": "object", - "x-kubernetes-map-type": "atomic" - }, - "io.k8s.api.admissionregistration.v1alpha1.TypeChecking": { - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object" - }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy": { - "description": "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy": { + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1092,7 +973,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicy" + "MutatingAdmissionPolicy" ] }, "metadata": { @@ -1100,25 +981,21 @@ "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, "spec": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec", - "description": "Specification of the desired behavior of the ValidatingAdmissionPolicy." - }, - "status": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus", - "description": "The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only." + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicy." } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicy", + "kind": "MutatingAdmissionPolicy", "version": "v1alpha1" } ] }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding": { - "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding": { + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1128,7 +1005,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicyBinding" + "MutatingAdmissionPolicyBinding" ] }, "metadata": { @@ -1136,21 +1013,21 @@ "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, "spec": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec", - "description": "Specification of the desired behavior of the ValidatingAdmissionPolicyBinding." + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicyBinding." } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBinding", + "kind": "MutatingAdmissionPolicyBinding", "version": "v1alpha1" } ] }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingList": { - "description": "ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingList": { + "description": "MutatingAdmissionPolicyBindingList is a list of MutatingAdmissionPolicyBinding.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1159,7 +1036,7 @@ "items": { "description": "List of PolicyBinding.", "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding" + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding" }, "type": "array" }, @@ -1167,7 +1044,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicyBindingList" + "MutatingAdmissionPolicyBindingList" ] }, "metadata": { @@ -1182,39 +1059,31 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBindingList", + "kind": "MutatingAdmissionPolicyBindingList", "version": "v1alpha1" } ] }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec": { - "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec": { + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", "properties": { "matchResources": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", - "description": "MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required." + "description": "matchResources limits what resources match this binding and may be mutated by it. Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and matchConditions before the resource may be mutated. When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints and matchConditions must match for the resource to be mutated. Additionally, matchResources.resourceRules are optional and do not constraint matching when unset. Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT." }, "paramRef": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef", - "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." + "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." }, "policyName": { - "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", "type": "string" - }, - "validationActions": { - "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" } }, "type": "object" }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyList": { - "description": "ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyList": { + "description": "MutatingAdmissionPolicyList is a list of MutatingAdmissionPolicy.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1223,7 +1092,7 @@ "items": { "description": "List of ValidatingAdmissionPolicy.", "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy" + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy" }, "type": "array" }, @@ -1231,7 +1100,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicyList" + "MutatingAdmissionPolicyList" ] }, "metadata": { @@ -1246,28 +1115,20 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyList", + "kind": "MutatingAdmissionPolicyList", "version": "v1alpha1" } ] }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec": { - "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec": { + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", "properties": { - "auditAnnotations": { - "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", - "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, "failurePolicy": { - "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", "type": "string" }, "matchConditions": { - "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", "items": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" }, @@ -1281,114 +1142,172 @@ }, "matchConstraints": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", - "description": "MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required." - }, - "paramKind": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", - "description": "ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null." + "description": "matchConstraints specifies what resources this policy is designed to validate. The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT. Required." }, - "validations": { - "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Validation" + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Mutation" }, "type": "array", "x-kubernetes-list-type": "atomic" }, + "paramKind": { + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", + "description": "paramKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null." + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": "string" + }, "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", "items": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" }, "type": "array", - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object" - }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus": { - "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.", - "properties": { - "conditions": { - "description": "The conditions represent the latest available observations of a policy's current state.", - "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "The generation observed by the controller.", - "format": "int64", - "type": "integer" - }, - "typeChecking": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.TypeChecking", - "description": "The results of type checking for each expression. Presence of this field indicates the completion of the type checking." + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.admissionregistration.v1alpha1.Validation": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", + "io.k8s.api.admissionregistration.v1alpha1.Mutation": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": "string" + "applyConfiguration": { + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration", + "description": "applyConfiguration defines the desired configuration values of an object. The configuration is applied to the admission object using [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff). A CEL expression is used to create apply configuration." }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": "string" - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": "string" - } - }, - "required": [ - "expression" - ], - "type": "object" - }, - "io.k8s.api.admissionregistration.v1alpha1.Variable": { - "description": "Variable is the definition of a variable that is used for composition.", - "properties": { - "expression": { - "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", - "type": "string" + "jsonPatch": { + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.JSONPatch", + "description": "jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object. A CEL expression is used to create the JSON patch." }, - "name": { - "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", "type": "string" } }, "required": [ - "name", - "expression" + "patchType" ], "type": "object" }, - "io.k8s.api.admissionregistration.v1beta1.AuditAnnotation": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", + "io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": "string" + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1alpha1.ParamKind": { + "description": "ParamKind is a tuple of Group Kind and Version.", + "properties": { + "apiVersion": { + "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", + "type": "string" + }, + "kind": { + "description": "Kind is the API kind the resources belong to. Required.", + "type": "string" + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1alpha1.ParamRef": { + "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", + "properties": { + "name": { + "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", + "type": "string" + }, + "namespace": { + "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", + "type": "string" + }, + "parameterNotFoundAction": { + "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", + "type": "string" + }, + "selector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset." + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1alpha1.Variable": { + "description": "Variable is the definition of a variable that is used for composition.", + "properties": { + "expression": { + "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", + "type": "string" + }, + "name": { + "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": "object" + }, + "io.k8s.api.admissionregistration.v1beta1.AuditAnnotation": { + "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", + "properties": { + "key": { + "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", + "type": "string" + }, + "valueExpression": { + "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", "type": "string" } }, @@ -3327,48 +3246,6 @@ }, "type": "object" }, - "io.k8s.api.authentication.v1alpha1.SelfSubjectReview": { - "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "SelfSubjectReview" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "status": { - "$ref": "#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus", - "description": "Status is filled in by the server with the user attributes." - } - }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "authentication.k8s.io", - "kind": "SelfSubjectReview", - "version": "v1alpha1" - } - ] - }, - "io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus": { - "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", - "properties": { - "userInfo": { - "$ref": "#/definitions/io.k8s.api.authentication.v1.UserInfo", - "description": "User attributes of the user making this request." - } - }, - "type": "object" - }, "io.k8s.api.authentication.v1beta1.SelfSubjectReview": { "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", "properties": { @@ -4451,7 +4328,7 @@ "properties": { "containerResource": { "$ref": "#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricSource", - "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag." + "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "external": { "$ref": "#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricSource", @@ -4470,7 +4347,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, @@ -4503,7 +4380,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, @@ -5411,96 +5288,6 @@ }, "type": "object" }, - "io.k8s.api.certificates.v1alpha1.ClusterTrustBundle": { - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "metadata contains the object metadata." - }, - "spec": { - "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec", - "description": "spec contains the signer (if any) and trust anchors." - } - }, - "required": [ - "spec" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ] - }, - "io.k8s.api.certificates.v1alpha1.ClusterTrustBundleList": { - "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items is a collection of ClusterTrustBundle objects", - "items": { - "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle" - }, - "type": "array" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterTrustBundleList" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "metadata contains the list metadata." - } - }, - "required": [ - "items" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundleList", - "version": "v1alpha1" - } - ] - }, - "io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec": { - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": "string" - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": "string" - } - }, - "required": [ - "trustBundle" - ], - "type": "object" - }, "io.k8s.api.coordination.v1.Lease": { "description": "Lease defines a lease concept.", "properties": { @@ -5920,7 +5707,7 @@ ] }, "io.k8s.api.core.v1.CSIPersistentVolumeSource": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "$ref": "#/definitions/io.k8s.api.core.v1.SecretReference", @@ -8287,7 +8074,7 @@ "x-kubernetes-map-type": "atomic" }, "io.k8s.api.core.v1.LocalVolumeSource": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", @@ -9357,15 +9144,15 @@ }, "awsElasticBlockStore": { "$ref": "#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureFilePersistentVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "capacity": { "additionalProperties": { @@ -9376,11 +9163,11 @@ }, "cephfs": { "$ref": "#/definitions/io.k8s.api.core.v1.CephFSPersistentVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "#/definitions/io.k8s.api.core.v1.CinderPersistentVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "claimRef": { "$ref": "#/definitions/io.k8s.api.core.v1.ObjectReference", @@ -9389,7 +9176,7 @@ }, "csi": { "$ref": "#/definitions/io.k8s.api.core.v1.CSIPersistentVolumeSource", - "description": "csi represents storage that is handled by an external CSI driver (Beta feature)." + "description": "csi represents storage that is handled by an external CSI driver." }, "fc": { "$ref": "#/definitions/io.k8s.api.core.v1.FCVolumeSource", @@ -9397,19 +9184,19 @@ }, "flexVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.FlexPersistentVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "glusterfs": { "$ref": "#/definitions/io.k8s.api.core.v1.GlusterfsPersistentVolumeSource", - "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -9445,23 +9232,23 @@ }, "photonPersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "quobyte": { "$ref": "#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "#/definitions/io.k8s.api.core.v1.RBDPersistentVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "#/definitions/io.k8s.api.core.v1.ScaleIOPersistentVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "storageClassName": { "description": "storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.", @@ -9469,7 +9256,7 @@ }, "storageos": { "$ref": "#/definitions/io.k8s.api.core.v1.StorageOSPersistentVolumeSource", - "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md" + "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. More info: https://examples.k8s.io/volumes/storageos/README.md" }, "volumeAttributesClassName": { "description": "Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process. This is a beta field and requires enabling VolumeAttributesClass feature (off by default).", @@ -9481,7 +9268,7 @@ }, "vsphereVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "type": "object" @@ -10207,7 +9994,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -10215,7 +10002,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -10237,7 +10024,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "$ref": "#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -12156,23 +11943,23 @@ "properties": { "awsElasticBlockStore": { "$ref": "#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "cephfs": { "$ref": "#/definitions/io.k8s.api.core.v1.CephFSVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "#/definitions/io.k8s.api.core.v1.CinderVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "configMap": { "$ref": "#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource", @@ -12180,7 +11967,7 @@ }, "csi": { "$ref": "#/definitions/io.k8s.api.core.v1.CSIVolumeSource", - "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature)." + "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers." }, "downwardAPI": { "$ref": "#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource", @@ -12200,23 +11987,23 @@ }, "flexVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.FlexVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "gitRepo": { "$ref": "#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource", - "description": "gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." + "description": "gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." }, "glusterfs": { "$ref": "#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource", - "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -12244,11 +12031,11 @@ }, "photonPersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "projected": { "$ref": "#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource", @@ -12256,15 +12043,15 @@ }, "quobyte": { "$ref": "#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "#/definitions/io.k8s.api.core.v1.RBDVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "secret": { "$ref": "#/definitions/io.k8s.api.core.v1.SecretVolumeSource", @@ -12272,11 +12059,11 @@ }, "storageos": { "$ref": "#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource", - "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes." + "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported." }, "vsphereVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "required": [ @@ -13436,38 +13223,69 @@ ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration": { - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", + "io.k8s.api.networking.v1.HTTPIngressPath": { + "description": "HTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.", "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": "integer" + "backend": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", + "description": "backend defines the referenced service endpoint to which the traffic will be forwarded to." }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": "integer" + "path": { + "description": "path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value \"Exact\" or \"Prefix\".", + "type": "string" + }, + "pathType": { + "description": "pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is\n done on a path element by element basis. A path element refers is the\n list of labels in the path split by the '/' separator. A request is a\n match for path p if every p is an element-wise prefix of p of the\n request path. Note that if the last element of the path is a substring\n of the last element in request path, it is not a match (e.g. /foo/bar\n matches /foo/bar/baz, but does not match /foo/barbaz).\n* ImplementationSpecific: Interpretation of the Path matching is up to\n the IngressClass. Implementations can treat this as a separate PathType\n or treat it identically to Prefix or Exact path types.\nImplementations are required to support all path types.", + "type": "string" } }, + "required": [ + "pathType", + "backend" + ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod": { - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", + "io.k8s.api.networking.v1.HTTPIngressRuleValue": { + "description": "HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.", "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": "string" + "paths": { + "description": "paths is a collection of paths that map requests to backends.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressPath" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ - "type" + "paths" ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchema": { - "description": "FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".", - "properties": { + "io.k8s.api.networking.v1.IPBlock": { + "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.", + "properties": { + "cidr": { + "description": "cidr is a string representing the IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"", + "type": "string" + }, + "except": { + "description": "except is a slice of CIDRs that should not be included within an IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the cidr range", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "cidr" + ], + "type": "object" + }, + "io.k8s.api.networking.v1.Ingress": { + "description": "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.", + "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" @@ -13476,68 +13294,88 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "FlowSchema" + "Ingress" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec", - "description": "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressSpec", + "description": "spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" }, "status": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus", - "description": "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressStatus", + "description": "status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchema", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "Ingress", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition": { - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", + "io.k8s.api.networking.v1.IngressBackend": { + "description": "IngressBackend describes all endpoints for a given service and port.", "properties": { - "lastTransitionTime": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", - "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." + "resource": { + "$ref": "#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference", + "description": "resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\"." }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", + "service": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressServiceBackend", + "description": "service references a service as a backend. This is a mutually exclusive setting with \"Resource\"." + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressClass": { + "description": "IngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": "string" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IngressClass" + ] }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": "string" + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": "string" + "spec": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassSpec", + "description": "spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "IngressClass", + "version": "v1" + } + ] }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaList": { - "description": "FlowSchemaList is a list of FlowSchema objects.", + "io.k8s.api.networking.v1.IngressClassList": { + "description": "IngressClassList is a collection of IngressClasses.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "`items` is a list of FlowSchemas.", + "description": "items is the list of IngressClasses.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClass" }, "type": "array" }, @@ -13545,12 +13383,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "FlowSchemaList" + "IngressClassList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata." } }, "required": [ @@ -13559,185 +13397,243 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchemaList", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "IngressClassList", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec": { - "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", + "io.k8s.api.networking.v1.IngressClassParametersReference": { + "description": "IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.", "properties": { - "distinguisherMethod": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod", - "description": "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string." + "apiGroup": { + "description": "apiGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.", + "type": "string" }, - "matchingPrecedence": { - "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", - "format": "int32", - "type": "integer" + "kind": { + "description": "kind is the type of resource being referenced.", + "type": "string" }, - "priorityLevelConfiguration": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference", - "description": "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required." + "name": { + "description": "name is the name of resource being referenced.", + "type": "string" }, - "rules": { - "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", - "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "namespace": { + "description": "namespace is the namespace of the resource being referenced. This field is required when scope is set to \"Namespace\" and must be unset when scope is set to \"Cluster\".", + "type": "string" + }, + "scope": { + "description": "scope represents if this refers to a cluster or namespace scoped resource. This may be set to \"Cluster\" (default) or \"Namespace\".", + "type": "string" } }, "required": [ - "priorityLevelConfiguration" + "kind", + "name" ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus": { - "description": "FlowSchemaStatus represents the current state of a FlowSchema.", - "properties": { - "conditions": { - "description": "`conditions` is a list of the current states of FlowSchema.", - "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object" - }, - "io.k8s.api.flowcontrol.v1beta3.GroupSubject": { - "description": "GroupSubject holds detailed information for group-kind subject.", + "io.k8s.api.networking.v1.IngressClassSpec": { + "description": "IngressClassSpec provides information about the class of an Ingress.", "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", + "controller": { + "description": "controller refers to the name of the controller that should handle this class. This allows for different \"flavors\" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. \"acme.io/ingress-controller\". This field is immutable.", "type": "string" + }, + "parameters": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference", + "description": "parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters." } }, - "required": [ - "name" - ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.LimitResponse": { - "description": "LimitResponse defines how to handle requests that can not be executed right now.", + "io.k8s.api.networking.v1.IngressList": { + "description": "IngressList is a collection of Ingress.", "properties": { - "queuing": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration", - "description": "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`." - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" + }, + "items": { + "description": "items is the list of Ingress.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.Ingress" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IngressList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ - "type" + "items" ], "type": "object", - "x-kubernetes-unions": [ + "x-kubernetes-group-version-kind": [ { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } + "group": "networking.k8s.io", + "kind": "IngressList", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration": { - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", + "io.k8s.api.networking.v1.IngressLoadBalancerIngress": { + "description": "IngressLoadBalancerIngress represents the status of a load-balancer ingress point.", "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": "integer" - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": "integer" + "hostname": { + "description": "hostname is set for load-balancer ingress points that are DNS based.", + "type": "string" }, - "limitResponse": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse", - "description": "`limitResponse` indicates what to do with requests that can not be executed right now" + "ip": { + "description": "ip is set for load-balancer ingress points that are IP based.", + "type": "string" }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": "integer" + "ports": { + "description": "ports provides information about the ports exposed by this LoadBalancer.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressPortStatus" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule": { - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", + "io.k8s.api.networking.v1.IngressLoadBalancerStatus": { + "description": "IngressLoadBalancerStatus represents the status of a load-balancer.", "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", + "ingress": { + "description": "ingress is a list containing ingress points for the load-balancer.", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerIngress" }, "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressPortStatus": { + "description": "IngressPortStatus represents the error condition of a service port", + "properties": { + "error": { + "description": "error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase.", + "type": "string" + }, + "port": { + "description": "port is the port number of the ingress port.", + "format": "int32", + "type": "integer" + }, + "protocol": { + "description": "protocol is the protocol of the ingress port. The supported values are: \"TCP\", \"UDP\", \"SCTP\"", + "type": "string" } }, "required": [ - "verbs", - "nonResourceURLs" + "port", + "protocol" ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects": { - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", + "io.k8s.api.networking.v1.IngressRule": { + "description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.", "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", + "host": { + "description": "host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nhost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.", + "type": "string" + }, + "http": { + "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressRuleValue" + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressServiceBackend": { + "description": "IngressServiceBackend references a Kubernetes Service as a Backend.", + "properties": { + "name": { + "description": "name is the referenced service. The service must exist in the same namespace as the Ingress object.", + "type": "string" + }, + "port": { + "$ref": "#/definitions/io.k8s.api.networking.v1.ServiceBackendPort", + "description": "port of the referenced service. A port name or port number is required for a IngressServiceBackend." + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "io.k8s.api.networking.v1.IngressSpec": { + "description": "IngressSpec describes the Ingress the user wishes to exist.", + "properties": { + "defaultBackend": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", + "description": "defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller." + }, + "ingressClassName": { + "description": "ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.", + "type": "string" + }, + "rules": { + "description": "rules is a list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressRule" }, "type": "array", "x-kubernetes-list-type": "atomic" }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", + "tls": { + "description": "tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressTLS" }, "type": "array", "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressStatus": { + "description": "IngressStatus describe the current state of the Ingress.", + "properties": { + "loadBalancer": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerStatus", + "description": "loadBalancer contains the current status of the load-balancer." + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressTLS": { + "description": "IngressTLS describes the transport layer security associated with an ingress.", + "properties": { + "hosts": { + "description": "hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject" + "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" + }, + "secretName": { + "description": "secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the \"Host\" header is used for routing.", + "type": "string" } }, - "required": [ - "subjects" - ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration": { - "description": "PriorityLevelConfiguration represents the configuration of a priority level.", + "io.k8s.api.networking.v1.NetworkPolicy": { + "description": "NetworkPolicy describes what network traffic is allowed for a set of Pods", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -13747,68 +13643,82 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PriorityLevelConfiguration" + "NetworkPolicy" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec", - "description": "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - }, - "status": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus", - "description": "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec", + "description": "spec represents the specification of the desired behavior for this NetworkPolicy." } }, "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfiguration", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "NetworkPolicy", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition": { - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", + "io.k8s.api.networking.v1.NetworkPolicyEgressRule": { + "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8", "properties": { - "lastTransitionTime": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", - "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": "string" - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": "string" + "ports": { + "description": "ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": "string" + "to": { + "description": "to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.NetworkPolicyIngressRule": { + "description": "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.", + "properties": { + "from": { + "description": "from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": "string" + "ports": { + "description": "ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationList": { - "description": "PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.", + "io.k8s.api.networking.v1.NetworkPolicyList": { + "description": "NetworkPolicyList is a list of NetworkPolicy objects.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "`items` is a list of request-priorities.", + "description": "items is a list of schema objects.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicy" }, "type": "array" }, @@ -13816,12 +13726,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PriorityLevelConfigurationList" + "NetworkPolicyList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ @@ -13830,270 +13740,213 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfigurationList", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "NetworkPolicyList", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference": { - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", + "io.k8s.api.networking.v1.NetworkPolicyPeer": { + "description": "NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed", "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": "string" + "ipBlock": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IPBlock", + "description": "ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be." + }, + "namespaceSelector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector." + }, + "podSelector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace." } }, - "required": [ - "name" - ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec": { - "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", + "io.k8s.api.networking.v1.NetworkPolicyPort": { + "description": "NetworkPolicyPort describes a port to allow traffic on", "properties": { - "exempt": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration", - "description": "`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply." + "endPort": { + "description": "endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.", + "format": "int32", + "type": "integer" }, - "limited": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration", - "description": "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`." + "port": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", + "description": "port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched." }, - "type": { - "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", + "protocol": { + "description": "protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.", "type": "string" } }, - "required": [ - "type" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "exempt": "Exempt", - "limited": "Limited" - } - } - ] + "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus": { - "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", - "properties": { - "conditions": { - "description": "`conditions` is the current state of \"request-priority\".", - "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object" - }, - "io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": "integer" - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": "integer" - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": "integer" - } - }, - "type": "object" - }, - "io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule": { - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", + "io.k8s.api.networking.v1.NetworkPolicySpec": { + "description": "NetworkPolicySpec provides the specification of a NetworkPolicy", "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", + "egress": { + "description": "egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule" }, "type": "array", - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": "boolean" + "x-kubernetes-list-type": "atomic" }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", + "ingress": { + "description": "ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule" }, "type": "array", - "x-kubernetes-list-type": "set" + "x-kubernetes-list-type": "atomic" }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" + "podSelector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace." }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", + "policyTypes": { + "description": "policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8", "items": { "type": "string" }, "type": "array", - "x-kubernetes-list-type": "set" + "x-kubernetes-list-type": "atomic" } }, "required": [ - "verbs", - "apiGroups", - "resources" + "podSelector" ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", + "io.k8s.api.networking.v1.ServiceBackendPort": { + "description": "ServiceBackendPort is the service port being referenced.", "properties": { "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", + "description": "name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".", "type": "string" }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": "string" + "number": { + "description": "number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".", + "format": "int32", + "type": "integer" } }, - "required": [ - "namespace", - "name" - ], - "type": "object" + "type": "object", + "x-kubernetes-map-type": "atomic" }, - "io.k8s.api.flowcontrol.v1beta3.Subject": { - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", + "io.k8s.api.networking.v1beta1.IPAddress": { + "description": "IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of the object is the IP address in canonical format, four decimal digits separated by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1", "properties": { - "group": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.GroupSubject", - "description": "`group` matches based on user group name." + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" }, "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": "string" + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IPAddress" + ] }, - "serviceAccount": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject", - "description": "`serviceAccount` matches ServiceAccounts." + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, - "user": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.UserSubject", - "description": "`user` matches based on username." + "spec": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddressSpec", + "description": "spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, - "required": [ - "kind" - ], "type": "object", - "x-kubernetes-unions": [ + "x-kubernetes-group-version-kind": [ { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } + "group": "networking.k8s.io", + "kind": "IPAddress", + "version": "v1beta1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.UserSubject": { - "description": "UserSubject holds detailed information for user-kind subject.", + "io.k8s.api.networking.v1beta1.IPAddressList": { + "description": "IPAddressList contains a list of IPAddress.", "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" - } - }, - "required": [ - "name" - ], - "type": "object" - }, - "io.k8s.api.networking.v1.HTTPIngressPath": { - "description": "HTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.", - "properties": { - "backend": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", - "description": "backend defines the referenced service endpoint to which the traffic will be forwarded to." }, - "path": { - "description": "path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value \"Exact\" or \"Prefix\".", - "type": "string" + "items": { + "description": "items is the list of IPAddresses.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddress" + }, + "type": "array" }, - "pathType": { - "description": "pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is\n done on a path element by element basis. A path element refers is the\n list of labels in the path split by the '/' separator. A request is a\n match for path p if every p is an element-wise prefix of p of the\n request path. Note that if the last element of the path is a substring\n of the last element in request path, it is not a match (e.g. /foo/bar\n matches /foo/bar/baz, but does not match /foo/barbaz).\n* ImplementationSpecific: Interpretation of the Path matching is up to\n the IngressClass. Implementations can treat this as a separate PathType\n or treat it identically to Prefix or Exact path types.\nImplementations are required to support all path types.", - "type": "string" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IPAddressList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ - "pathType", - "backend" + "items" ], - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "IPAddressList", + "version": "v1beta1" + } + ] }, - "io.k8s.api.networking.v1.HTTPIngressRuleValue": { - "description": "HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.", + "io.k8s.api.networking.v1beta1.IPAddressSpec": { + "description": "IPAddressSpec describe the attributes in an IP Address.", "properties": { - "paths": { - "description": "paths is a collection of paths that map requests to backends.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressPath" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "parentRef": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ParentReference", + "description": "ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object." } }, "required": [ - "paths" + "parentRef" ], "type": "object" }, - "io.k8s.api.networking.v1.IPBlock": { - "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.", + "io.k8s.api.networking.v1beta1.ParentReference": { + "description": "ParentReference describes a reference to a parent object.", "properties": { - "cidr": { - "description": "cidr is a string representing the IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"", + "group": { + "description": "Group is the group of the object being referenced.", "type": "string" }, - "except": { - "description": "except is a slice of CIDRs that should not be included within an IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the cidr range", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "name": { + "description": "Name is the name of the object being referenced.", + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the object being referenced.", + "type": "string" + }, + "resource": { + "description": "Resource is the resource of the object being referenced.", + "type": "string" } }, "required": [ - "cidr" + "resource", + "name" ], "type": "object" }, - "io.k8s.api.networking.v1.Ingress": { - "description": "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.", + "io.k8s.api.networking.v1beta1.ServiceCIDR": { + "description": "ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to allocate ClusterIPs to Service objects.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14103,7 +13956,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "Ingress" + "ServiceCIDR" ] }, "metadata": { @@ -14111,80 +13964,161 @@ "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressSpec", - "description": "spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRSpec", + "description": "spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" }, "status": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressStatus", - "description": "status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRStatus", + "description": "status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "networking.k8s.io", - "kind": "Ingress", - "version": "v1" + "kind": "ServiceCIDR", + "version": "v1beta1" } ] }, - "io.k8s.api.networking.v1.IngressBackend": { - "description": "IngressBackend describes all endpoints for a given service and port.", - "properties": { - "resource": { - "$ref": "#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference", - "description": "resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\"." + "io.k8s.api.networking.v1beta1.ServiceCIDRList": { + "description": "ServiceCIDRList contains a list of ServiceCIDR objects.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" }, - "service": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressServiceBackend", - "description": "service references a service as a backend. This is a mutually exclusive setting with \"Resource\"." + "items": { + "description": "items is the list of ServiceCIDRs.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDR" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ServiceCIDRList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "ServiceCIDRList", + "version": "v1beta1" + } + ] + }, + "io.k8s.api.networking.v1beta1.ServiceCIDRSpec": { + "description": "ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services.", + "properties": { + "cidrs": { + "description": "CIDRs defines the IP blocks in CIDR notation (e.g. \"192.168.0.0/24\" or \"2001:db8::/64\") from which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family. This field is immutable.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.networking.v1.IngressClass": { - "description": "IngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.", + "io.k8s.api.networking.v1beta1.ServiceCIDRStatus": { + "description": "ServiceCIDRStatus describes the current state of the ServiceCIDR.", + "properties": { + "conditions": { + "description": "conditions holds an array of metav1.Condition that describe the state of the ServiceCIDR. Current service state", + "items": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge" + } + }, + "type": "object" + }, + "io.k8s.api.node.v1.Overhead": { + "description": "Overhead structure represents the resource overhead associated with running a pod.", + "properties": { + "podFixed": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + }, + "description": "podFixed represents the fixed resource overhead associated with running a pod.", + "type": "object" + } + }, + "type": "object" + }, + "io.k8s.api.node.v1.RuntimeClass": { + "description": "RuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod. For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, + "handler": { + "description": "handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration. It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called \"runc\" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.", + "type": "string" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IngressClass" + "RuntimeClass" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassSpec", - "description": "spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "overhead": { + "$ref": "#/definitions/io.k8s.api.node.v1.Overhead", + "description": "overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/" + }, + "scheduling": { + "$ref": "#/definitions/io.k8s.api.node.v1.Scheduling", + "description": "scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes." } }, + "required": [ + "handler" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IngressClass", + "group": "node.k8s.io", + "kind": "RuntimeClass", "version": "v1" } ] }, - "io.k8s.api.networking.v1.IngressClassList": { - "description": "IngressClassList is a collection of IngressClasses.", + "io.k8s.api.node.v1.RuntimeClassList": { + "description": "RuntimeClassList is a list of RuntimeClass objects.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is the list of IngressClasses.", + "description": "items is a list of schema objects.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClass" + "$ref": "#/definitions/io.k8s.api.node.v1.RuntimeClass" }, "type": "array" }, @@ -14192,12 +14126,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IngressClassList" + "RuntimeClassList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard list metadata." + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ @@ -14206,67 +14140,113 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IngressClassList", + "group": "node.k8s.io", + "kind": "RuntimeClassList", "version": "v1" } ] }, - "io.k8s.api.networking.v1.IngressClassParametersReference": { - "description": "IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.", + "io.k8s.api.node.v1.Scheduling": { + "description": "Scheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.", "properties": { - "apiGroup": { - "description": "apiGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.", - "type": "string" + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "description": "nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.", + "type": "object", + "x-kubernetes-map-type": "atomic" }, - "kind": { - "description": "kind is the type of resource being referenced.", + "tolerations": { + "description": "tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.", + "items": { + "$ref": "#/definitions/io.k8s.api.core.v1.Toleration" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.policy.v1.Eviction": { + "description": "Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "name": { - "description": "name is the name of resource being referenced.", - "type": "string" + "deleteOptions": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions", + "description": "DeleteOptions may be provided" }, - "namespace": { - "description": "namespace is the namespace of the resource being referenced. This field is required when scope is set to \"Namespace\" and must be unset when scope is set to \"Cluster\".", - "type": "string" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "Eviction" + ] }, - "scope": { - "description": "scope represents if this refers to a cluster or namespace scoped resource. This may be set to \"Cluster\" (default) or \"Namespace\".", - "type": "string" + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "ObjectMeta describes the pod that is being evicted." } }, - "required": [ - "kind", - "name" - ], - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "policy", + "kind": "Eviction", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1.IngressClassSpec": { - "description": "IngressClassSpec provides information about the class of an Ingress.", + "io.k8s.api.policy.v1.PodDisruptionBudget": { + "description": "PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods", "properties": { - "controller": { - "description": "controller refers to the name of the controller that should handle this class. This allows for different \"flavors\" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. \"acme.io/ingress-controller\". This field is immutable.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "parameters": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference", - "description": "parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters." + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "PodDisruptionBudget" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec", + "description": "Specification of the desired behavior of the PodDisruptionBudget." + }, + "status": { + "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus", + "description": "Most recently observed status of the PodDisruptionBudget." } }, - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "policy", + "kind": "PodDisruptionBudget", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1.IngressList": { - "description": "IngressList is a collection of Ingress.", + "io.k8s.api.policy.v1.PodDisruptionBudgetList": { + "description": "PodDisruptionBudgetList is a collection of PodDisruptionBudgets.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is the list of Ingress.", + "description": "Items is a list of PodDisruptionBudgets", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.Ingress" + "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget" }, "type": "array" }, @@ -14274,7 +14254,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IngressList" + "PodDisruptionBudgetList" ] }, "metadata": { @@ -14288,246 +14268,238 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IngressList", + "group": "policy", + "kind": "PodDisruptionBudgetList", "version": "v1" } ] }, - "io.k8s.api.networking.v1.IngressLoadBalancerIngress": { - "description": "IngressLoadBalancerIngress represents the status of a load-balancer ingress point.", + "io.k8s.api.policy.v1.PodDisruptionBudgetSpec": { + "description": "PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.", "properties": { - "hostname": { - "description": "hostname is set for load-balancer ingress points that are DNS based.", - "type": "string" - }, - "ip": { - "description": "ip is set for load-balancer ingress points that are IP based.", - "type": "string" + "maxUnavailable": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", + "description": "An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\"." }, - "ports": { - "description": "ports provides information about the ports exposed by this LoadBalancer.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressPortStatus" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "minAvailable": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", + "description": "An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying \"100%\"." + }, + "selector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.", + "x-kubernetes-patch-strategy": "replace" + }, + "unhealthyPodEvictionPolicy": { + "description": "UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=\"Ready\",status=\"True\".\n\nValid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.\n\nIfHealthyBudget policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.\n\nAlwaysAllow policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n\nAdditional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.\n\nThis field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).", + "type": "string" } }, "type": "object" }, - "io.k8s.api.networking.v1.IngressLoadBalancerStatus": { - "description": "IngressLoadBalancerStatus represents the status of a load-balancer.", + "io.k8s.api.policy.v1.PodDisruptionBudgetStatus": { + "description": "PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.", "properties": { - "ingress": { - "description": "ingress is a list containing ingress points for the load-balancer.", + "conditions": { + "description": "Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute\n the number of allowed disruptions. Therefore no disruptions are\n allowed and the status of the condition will be False.\n- InsufficientPods: The number of pods are either at or below the number\n required by the PodDisruptionBudget. No disruptions are\n allowed and the status of the condition will be False.\n- SufficientPods: There are more pods than required by the PodDisruptionBudget.\n The condition will be True, and the number of allowed\n disruptions are provided by the disruptionsAllowed property.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerIngress" + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" }, "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.IngressPortStatus": { - "description": "IngressPortStatus represents the error condition of a service port", - "properties": { - "error": { - "description": "error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase.", - "type": "string" + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge" }, - "port": { - "description": "port is the port number of the ingress port.", + "currentHealthy": { + "description": "current number of healthy pods", "format": "int32", "type": "integer" }, - "protocol": { - "description": "protocol is the protocol of the ingress port. The supported values are: \"TCP\", \"UDP\", \"SCTP\"", - "type": "string" + "desiredHealthy": { + "description": "minimum desired number of healthy pods", + "format": "int32", + "type": "integer" + }, + "disruptedPods": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "description": "DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.", + "type": "object" + }, + "disruptionsAllowed": { + "description": "Number of pod disruptions that are currently allowed.", + "format": "int32", + "type": "integer" + }, + "expectedPods": { + "description": "total number of pods counted by this disruption budget", + "format": "int32", + "type": "integer" + }, + "observedGeneration": { + "description": "Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.", + "format": "int64", + "type": "integer" } }, "required": [ - "port", - "protocol" + "disruptionsAllowed", + "currentHealthy", + "desiredHealthy", + "expectedPods" ], "type": "object" }, - "io.k8s.api.networking.v1.IngressRule": { - "description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.", + "io.k8s.api.rbac.v1.AggregationRule": { + "description": "AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole", "properties": { - "host": { - "description": "host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nhost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.", - "type": "string" - }, - "http": { - "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressRuleValue" + "clusterRoleSelectors": { + "description": "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added", + "items": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.networking.v1.IngressServiceBackend": { - "description": "IngressServiceBackend references a Kubernetes Service as a Backend.", + "io.k8s.api.rbac.v1.ClusterRole": { + "description": "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.", "properties": { - "name": { - "description": "name is the referenced service. The service must exist in the same namespace as the Ingress object.", + "aggregationRule": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.AggregationRule", + "description": "AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller." + }, + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "port": { - "$ref": "#/definitions/io.k8s.api.networking.v1.ServiceBackendPort", - "description": "port of the referenced service. A port name or port number is required for a IngressServiceBackend." - } - }, - "required": [ - "name" - ], - "type": "object" - }, - "io.k8s.api.networking.v1.IngressSpec": { - "description": "IngressSpec describes the Ingress the user wishes to exist.", - "properties": { - "defaultBackend": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", - "description": "defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller." + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ClusterRole" + ] }, - "ingressClassName": { - "description": "ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.", - "type": "string" + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata." }, "rules": { - "description": "rules is a list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressRule" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "tls": { - "description": "tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.", + "description": "Rules holds all the PolicyRules for this ClusterRole", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressTLS" + "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, - "type": "object" - }, - "io.k8s.api.networking.v1.IngressStatus": { - "description": "IngressStatus describe the current state of the Ingress.", - "properties": { - "loadBalancer": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerStatus", - "description": "loadBalancer contains the current status of the load-balancer." + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "version": "v1" } - }, - "type": "object" + ] }, - "io.k8s.api.networking.v1.IngressTLS": { - "description": "IngressTLS describes the transport layer security associated with an ingress.", + "io.k8s.api.rbac.v1.ClusterRoleBinding": { + "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "properties": { - "hosts": { - "description": "hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ClusterRoleBinding" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata." + }, + "roleRef": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", + "description": "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + }, + "subjects": { + "description": "Subjects holds references to the objects the role applies to.", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" }, "type": "array", "x-kubernetes-list-type": "atomic" - }, - "secretName": { - "description": "secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the \"Host\" header is used for routing.", - "type": "string" } }, - "type": "object" + "required": [ + "roleRef" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRoleBinding", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1.NetworkPolicy": { - "description": "NetworkPolicy describes what network traffic is allowed for a set of Pods", + "io.k8s.api.rbac.v1.ClusterRoleBindingList": { + "description": "ClusterRoleBindingList is a collection of ClusterRoleBindings", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, + "items": { + "description": "Items is a list of ClusterRoleBindings", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding" + }, + "type": "array" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "NetworkPolicy" + "ClusterRoleBindingList" ] }, "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec", - "description": "spec represents the specification of the desired behavior for this NetworkPolicy." + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata." } }, + "required": [ + "items" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "NetworkPolicy", + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRoleBindingList", "version": "v1" } ] }, - "io.k8s.api.networking.v1.NetworkPolicyEgressRule": { - "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8", - "properties": { - "ports": { - "description": "ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "to": { - "description": "to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.NetworkPolicyIngressRule": { - "description": "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.", - "properties": { - "from": { - "description": "from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "ports": { - "description": "ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.NetworkPolicyList": { - "description": "NetworkPolicyList is a list of NetworkPolicy objects.", + "io.k8s.api.rbac.v1.ClusterRoleList": { + "description": "ClusterRoleList is a collection of ClusterRoles", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is a list of schema objects.", + "description": "Items is a list of ClusterRoles", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicy" + "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRole" }, "type": "array" }, @@ -14535,12 +14507,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "NetworkPolicyList" + "ClusterRoleList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." } }, "required": [ @@ -14549,74 +14521,49 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "NetworkPolicyList", + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRoleList", "version": "v1" } ] }, - "io.k8s.api.networking.v1.NetworkPolicyPeer": { - "description": "NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed", - "properties": { - "ipBlock": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IPBlock", - "description": "ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be." - }, - "namespaceSelector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector." - }, - "podSelector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace." - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.NetworkPolicyPort": { - "description": "NetworkPolicyPort describes a port to allow traffic on", + "io.k8s.api.rbac.v1.PolicyRule": { + "description": "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.", "properties": { - "endPort": { - "description": "endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.", - "format": "int32", - "type": "integer" - }, - "port": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", - "description": "port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched." + "apiGroups": { + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "protocol": { - "description": "protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.", - "type": "string" - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.NetworkPolicySpec": { - "description": "NetworkPolicySpec provides the specification of a NetworkPolicy", - "properties": { - "egress": { - "description": "egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8", + "nonResourceURLs": { + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule" + "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, - "ingress": { - "description": "ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)", + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule" + "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, - "podSelector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace." + "resources": { + "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "policyTypes": { - "description": "policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8", + "verbs": { + "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", "items": { "type": "string" }, @@ -14625,28 +14572,48 @@ } }, "required": [ - "podSelector" + "verbs" ], "type": "object" }, - "io.k8s.api.networking.v1.ServiceBackendPort": { - "description": "ServiceBackendPort is the service port being referenced.", + "io.k8s.api.rbac.v1.Role": { + "description": "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.", "properties": { - "name": { - "description": "name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "number": { - "description": "number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".", - "format": "int32", - "type": "integer" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "Role" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata." + }, + "rules": { + "description": "Rules holds all the PolicyRules for this Role", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object", - "x-kubernetes-map-type": "atomic" + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "Role", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1beta1.IPAddress": { - "description": "IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of the object is the IP address in canonical format, four decimal digits separated by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1", + "io.k8s.api.rbac.v1.RoleBinding": { + "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14656,38 +14623,49 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IPAddress" + "RoleBinding" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddressSpec", - "description": "spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "roleRef": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", + "description": "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + }, + "subjects": { + "description": "Subjects holds references to the objects the role applies to.", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, + "required": [ + "roleRef" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IPAddress", - "version": "v1beta1" + "group": "rbac.authorization.k8s.io", + "kind": "RoleBinding", + "version": "v1" } ] }, - "io.k8s.api.networking.v1beta1.IPAddressList": { - "description": "IPAddressList contains a list of IPAddress.", + "io.k8s.api.rbac.v1.RoleBindingList": { + "description": "RoleBindingList is a collection of RoleBindings", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is the list of IPAddresses.", + "description": "Items is a list of RoleBindings", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddress" + "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleBinding" }, "type": "array" }, @@ -14695,12 +14673,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IPAddressList" + "RoleBindingList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." } }, "required": [ @@ -14709,267 +14687,205 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IPAddressList", - "version": "v1beta1" + "group": "rbac.authorization.k8s.io", + "kind": "RoleBindingList", + "version": "v1" } ] }, - "io.k8s.api.networking.v1beta1.IPAddressSpec": { - "description": "IPAddressSpec describe the attributes in an IP Address.", + "io.k8s.api.rbac.v1.RoleList": { + "description": "RoleList is a collection of Roles", "properties": { - "parentRef": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ParentReference", - "description": "ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object." + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "Items is a list of Roles", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.Role" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "RoleList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata." } }, "required": [ - "parentRef" + "items" ], - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "RoleList", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1beta1.ParentReference": { - "description": "ParentReference describes a reference to a parent object.", + "io.k8s.api.rbac.v1.RoleRef": { + "description": "RoleRef contains information that points to the role being used", "properties": { - "group": { - "description": "Group is the group of the object being referenced.", - "type": "string" - }, - "name": { - "description": "Name is the name of the object being referenced.", + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced", "type": "string" }, - "namespace": { - "description": "Namespace is the namespace of the object being referenced.", + "kind": { + "description": "Kind is the type of resource being referenced", "type": "string" }, - "resource": { - "description": "Resource is the resource of the object being referenced.", + "name": { + "description": "Name is the name of resource being referenced", "type": "string" } }, "required": [ - "resource", + "apiGroup", + "kind", "name" ], - "type": "object" + "type": "object", + "x-kubernetes-map-type": "atomic" }, - "io.k8s.api.networking.v1beta1.ServiceCIDR": { - "description": "ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to allocate ClusterIPs to Service objects.", + "io.k8s.api.rbac.v1.Subject": { + "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "apiGroup": { + "description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", "type": "string" }, "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ServiceCIDR" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRSpec", - "description": "spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - }, - "status": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRStatus", - "description": "status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - } - }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "networking.k8s.io", - "kind": "ServiceCIDR", - "version": "v1beta1" - } - ] - }, - "io.k8s.api.networking.v1beta1.ServiceCIDRList": { - "description": "ServiceCIDRList contains a list of ServiceCIDR objects.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.", "type": "string" }, - "items": { - "description": "items is the list of ServiceCIDRs.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDR" - }, - "type": "array" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ServiceCIDRList" - ] + "name": { + "description": "Name of the object being referenced.", + "type": "string" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "namespace": { + "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.", + "type": "string" } }, "required": [ - "items" + "kind", + "name" ], "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "networking.k8s.io", - "kind": "ServiceCIDRList", - "version": "v1beta1" - } - ] + "x-kubernetes-map-type": "atomic" }, - "io.k8s.api.networking.v1beta1.ServiceCIDRSpec": { - "description": "ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services.", + "io.k8s.api.resource.v1alpha3.AllocationResult": { + "description": "AllocationResult contains attributes of an allocated resource.", "properties": { - "cidrs": { - "description": "CIDRs defines the IP blocks in CIDR notation (e.g. \"192.168.0.0/24\" or \"2001:db8::/64\") from which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family. This field is immutable.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "devices": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationResult", + "description": "Devices is the result of allocating devices." + }, + "nodeSelector": { + "$ref": "#/definitions/io.k8s.api.core.v1.NodeSelector", + "description": "NodeSelector defines where the allocated resources are available. If unset, they are available everywhere." } }, "type": "object" }, - "io.k8s.api.networking.v1beta1.ServiceCIDRStatus": { - "description": "ServiceCIDRStatus describes the current state of the ServiceCIDR.", + "io.k8s.api.resource.v1alpha3.BasicDevice": { + "description": "BasicDevice defines one device instance.", "properties": { - "conditions": { - "description": "conditions holds an array of metav1.Condition that describe the state of the ServiceCIDR. Current service state", - "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + "attributes": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAttribute" }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object" - }, - "io.k8s.api.node.v1.Overhead": { - "description": "Overhead structure represents the resource overhead associated with running a pod.", - "properties": { - "podFixed": { + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": "object" + }, + "capacity": { "additionalProperties": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" }, - "description": "podFixed represents the fixed resource overhead associated with running a pod.", + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": "object" } }, "type": "object" }, - "io.k8s.api.node.v1.RuntimeClass": { - "description": "RuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod. For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/", + "io.k8s.api.resource.v1alpha3.CELDeviceSelector": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", "type": "string" + } + }, + "required": [ + "expression" + ], + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.Device": { + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", + "properties": { + "basic": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.BasicDevice", + "description": "Basic defines one device instance." }, - "handler": { - "description": "handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration. It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called \"runc\" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.", + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "RuntimeClass" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "overhead": { - "$ref": "#/definitions/io.k8s.api.node.v1.Overhead", - "description": "overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/" - }, - "scheduling": { - "$ref": "#/definitions/io.k8s.api.node.v1.Scheduling", - "description": "scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes." } }, "required": [ - "handler" + "name" ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "node.k8s.io", - "kind": "RuntimeClass", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.node.v1.RuntimeClassList": { - "description": "RuntimeClassList is a list of RuntimeClass objects.", + "io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" + "opaque": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." }, - "items": { - "description": "items is a list of schema objects.", + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", "items": { - "$ref": "#/definitions/io.k8s.api.node.v1.RuntimeClass" + "type": "string" }, - "type": "array" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "RuntimeClassList" - ] + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" } }, "required": [ - "items" + "source" ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "node.k8s.io", - "kind": "RuntimeClassList", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.node.v1.Scheduling": { - "description": "Scheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.", + "io.k8s.api.resource.v1alpha3.DeviceAllocationResult": { + "description": "DeviceAllocationResult is the result of allocating devices.", "properties": { - "nodeSelector": { - "additionalProperties": { - "type": "string" + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration" }, - "description": "nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.", - "type": "object", - "x-kubernetes-map-type": "atomic" + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "tolerations": { - "description": "tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.", + "results": { + "description": "Results lists all allocated devices.", "items": { - "$ref": "#/definitions/io.k8s.api.core.v1.Toleration" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -14977,40 +14893,79 @@ }, "type": "object" }, - "io.k8s.api.policy.v1.Eviction": { - "description": "Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.", + "io.k8s.api.resource.v1alpha3.DeviceAttribute": { + "description": "DeviceAttribute must have exactly one field set.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "bool": { + "description": "BoolValue is a true/false value.", + "type": "boolean" + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": "integer" + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", "type": "string" }, - "deleteOptions": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions", - "description": "DeleteOptions may be provided" + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": "string" + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceClaim": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "Eviction" - ] + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceConstraint" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "ObjectMeta describes the pod that is being evicted." + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequest" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "policy", - "kind": "Eviction", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.policy.v1.PodDisruptionBudget": { - "description": "PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods", + "io.k8s.api.resource.v1alpha3.DeviceClass": { + "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15020,42 +14975,51 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PodDisruptionBudget" + "DeviceClass" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec", - "description": "Specification of the desired behavior of the PodDisruptionBudget." - }, - "status": { - "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus", - "description": "Most recently observed status of the PodDisruptionBudget." + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassSpec", + "description": "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number." } }, + "required": [ + "spec" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "policy", - "kind": "PodDisruptionBudget", - "version": "v1" + "group": "resource.k8s.io", + "kind": "DeviceClass", + "version": "v1alpha3" } ] }, - "io.k8s.api.policy.v1.PodDisruptionBudgetList": { - "description": "PodDisruptionBudgetList is a collection of PodDisruptionBudgets.", + "io.k8s.api.resource.v1alpha3.DeviceClassConfiguration": { + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceClassList": { + "description": "DeviceClassList is a collection of classes.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "Items is a list of PodDisruptionBudgets", + "description": "Items is the list of resource classes.", "items": { - "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClass" }, "type": "array" }, @@ -15063,12 +15027,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PodDisruptionBudgetList" + "DeviceClassList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata" } }, "required": [ @@ -15077,148 +15041,153 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "policy", - "kind": "PodDisruptionBudgetList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "DeviceClassList", + "version": "v1alpha3" } ] }, - "io.k8s.api.policy.v1.PodDisruptionBudgetSpec": { - "description": "PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.", + "io.k8s.api.resource.v1alpha3.DeviceClassSpec": { + "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", "properties": { - "maxUnavailable": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", - "description": "An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\"." - }, - "minAvailable": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", - "description": "An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying \"100%\"." - }, - "selector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.", - "x-kubernetes-patch-strategy": "replace" + "config": { + "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassConfiguration" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "unhealthyPodEvictionPolicy": { - "description": "UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=\"Ready\",status=\"True\".\n\nValid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.\n\nIfHealthyBudget policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.\n\nAlwaysAllow policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n\nAdditional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.\n\nThis field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).", - "type": "string" + "selectors": { + "description": "Each selector must be satisfied by a device which is claimed via this class.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.policy.v1.PodDisruptionBudgetStatus": { - "description": "PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.", + "io.k8s.api.resource.v1alpha3.DeviceConstraint": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", "properties": { - "conditions": { - "description": "Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute\n the number of allowed disruptions. Therefore no disruptions are\n allowed and the status of the condition will be False.\n- InsufficientPods: The number of pods are either at or below the number\n required by the PodDisruptionBudget. No disruptions are\n allowed and the status of the condition will be False.\n- SufficientPods: There are more pods than required by the PodDisruptionBudget.\n The condition will be True, and the number of allowed\n disruptions are provided by the disruptionsAllowed property.", + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": "string" + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + "type": "string" }, "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceRequest": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": "boolean" }, - "currentHealthy": { - "description": "current number of healthy pods", - "format": "int32", - "type": "integer" + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": "string" }, - "desiredHealthy": { - "description": "minimum desired number of healthy pods", - "format": "int32", + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", "type": "integer" }, - "disruptedPods": { - "additionalProperties": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" }, - "description": "DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.", - "type": "object" + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": "boolean" }, - "disruptionsAllowed": { - "description": "Number of pod disruptions that are currently allowed.", - "format": "int32", - "type": "integer" + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" }, - "expectedPods": { - "description": "total number of pods counted by this disruption budget", - "format": "int32", - "type": "integer" + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" }, - "observedGeneration": { - "description": "Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.", - "format": "int64", - "type": "integer" + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" } }, "required": [ - "disruptionsAllowed", - "currentHealthy", - "desiredHealthy", - "expectedPods" + "request", + "driver", + "pool", + "device" ], "type": "object" }, - "io.k8s.api.rbac.v1.AggregationRule": { - "description": "AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole", + "io.k8s.api.resource.v1alpha3.DeviceSelector": { + "description": "DeviceSelector must have exactly one field set.", "properties": { - "clusterRoleSelectors": { - "description": "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added", - "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "cel": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.CELDeviceSelector", + "description": "CEL contains a CEL expression for selecting a device." } }, "type": "object" }, - "io.k8s.api.rbac.v1.ClusterRole": { - "description": "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.", + "io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", "properties": { - "aggregationRule": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.AggregationRule", - "description": "AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller." - }, - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterRole" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." - }, - "rules": { - "description": "Rules holds all the PolicyRules for this ClusterRole", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + }, + "parameters": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." } }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRole", - "version": "v1" - } - ] + "required": [ + "driver", + "parameters" + ], + "type": "object" }, - "io.k8s.api.rbac.v1.ClusterRoleBinding": { - "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", + "io.k8s.api.resource.v1alpha3.ResourceClaim": { + "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15228,87 +15197,72 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ClusterRoleBinding" + "ResourceClaim" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." + "description": "Standard object metadata" }, - "roleRef": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", - "description": "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "description": "Spec describes what is being requested and how to configure it. The spec is immutable." }, - "subjects": { - "description": "Subjects holds references to the objects the role applies to.", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "status": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimStatus", + "description": "Status describes whether the claim is ready to use and what has been allocated." } }, "required": [ - "roleRef" + "spec" ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRoleBinding", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceClaim", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.ClusterRoleBindingList": { - "description": "ClusterRoleBindingList is a collection of ClusterRoleBindings", + "io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference": { + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", "type": "string" }, - "items": { - "description": "Items is a list of ClusterRoleBindings", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding" - }, - "type": "array" + "name": { + "description": "Name is the name of resource being referenced.", + "type": "string" }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterRoleBindingList" - ] + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": "string" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": "string" } }, "required": [ - "items" + "resource", + "name", + "uid" ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRoleBindingList", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.rbac.v1.ClusterRoleList": { - "description": "ClusterRoleList is a collection of ClusterRoles", + "io.k8s.api.resource.v1alpha3.ResourceClaimList": { + "description": "ResourceClaimList is a collection of claims.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "Items is a list of ClusterRoles", + "description": "Items is the list of resource claims.", "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRole" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaim" }, "type": "array" }, @@ -15316,12 +15270,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ClusterRoleList" + "ResourceClaimList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "description": "Standard list metadata" } }, "required": [ @@ -15330,63 +15284,47 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRoleList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceClaimList", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.PolicyRule": { - "description": "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.", + "io.k8s.api.resource.v1alpha3.ResourceClaimSpec": { + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", "properties": { - "apiGroups": { - "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "nonResourceURLs": { - "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resourceNames": { - "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resources": { - "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "devices": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaim", + "description": "Devices defines how to request devices." + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.ResourceClaimStatus": { + "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", + "properties": { + "allocation": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.AllocationResult", + "description": "Allocation is set once the claim has been allocated successfully." }, - "verbs": { - "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", + "reservedFor": { + "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference" }, "type": "array", - "x-kubernetes-list-type": "atomic" + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" } }, - "required": [ - "verbs" - ], "type": "object" }, - "io.k8s.api.rbac.v1.Role": { - "description": "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.", + "io.k8s.api.resource.v1alpha3.ResourceClaimTemplate": { + "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15396,123 +15334,156 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "Role" + "ResourceClaimTemplate" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." + "description": "Standard object metadata" }, - "rules": { - "description": "Rules holds all the PolicyRules for this Role", + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec", + "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore." + } + }, + "required": [ + "spec" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplate", + "version": "v1alpha3" + } + ] + }, + "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateList": { + "description": "ResourceClaimTemplateList is a collection of claim templates.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "Items is the list of resource claim templates.", "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplate" }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ResourceClaimTemplateList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard list metadata" } }, + "required": [ + "items" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "Role", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplateList", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.RoleBinding": { - "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", + "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec": { + "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", + "properties": { + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation." + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here." + } + }, + "required": [ + "spec" + ], + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.ResourcePool": { + "description": "ResourcePool describes the pool that ResourceSlices belong to.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "RoleBinding" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": "integer" }, - "roleRef": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", - "description": "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": "string" }, - "subjects": { - "description": "Subjects holds references to the objects the role applies to.", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": "integer" } }, "required": [ - "roleRef" + "name", + "generation", + "resourceSliceCount" ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "rbac.authorization.k8s.io", - "kind": "RoleBinding", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.rbac.v1.RoleBindingList": { - "description": "RoleBindingList is a collection of RoleBindings", + "io.k8s.api.resource.v1alpha3.ResourceSlice": { + "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "items": { - "description": "Items is a list of RoleBindings", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleBinding" - }, - "type": "array" - }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "RoleBindingList" + "ResourceSlice" ] }, "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object metadata" + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec", + "description": "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number." } }, "required": [ - "items" + "spec" ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "RoleBindingList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceSlice", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.RoleList": { - "description": "RoleList is a collection of Roles", + "io.k8s.api.resource.v1alpha3.ResourceSliceList": { + "description": "ResourceSliceList is a collection of ResourceSlices.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "Items is a list of Roles", + "description": "Items is the list of resource ResourceSlices.", "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.Role" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSlice" }, "type": "array" }, @@ -15520,12 +15491,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "RoleList" + "ResourceSliceList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "description": "Standard list metadata" } }, "required": [ @@ -15534,68 +15505,55 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "RoleList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceSliceList", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.RoleRef": { - "description": "RoleRef contains information that points to the role being used", + "io.k8s.api.resource.v1alpha3.ResourceSliceSpec": { + "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", "properties": { - "apiGroup": { - "description": "APIGroup is the group for the resource being referenced", - "type": "string" + "allNodes": { + "description": "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set.", + "type": "boolean" }, - "kind": { - "description": "Kind is the type of resource being referenced", - "type": "string" + "devices": { + "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.Device" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "name": { - "description": "Name is the name of resource being referenced", - "type": "string" - } - }, - "required": [ - "apiGroup", - "kind", - "name" - ], - "type": "object", - "x-kubernetes-map-type": "atomic" - }, - "io.k8s.api.rbac.v1.Subject": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.", - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", + "driver": { + "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.", "type": "string" }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.", + "nodeName": { + "description": "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set. This field is immutable.", "type": "string" }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" + "nodeSelector": { + "$ref": "#/definitions/io.k8s.api.core.v1.NodeSelector", + "description": "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set." }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.", - "type": "string" + "pool": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourcePool", + "description": "Pool describes the pool that this ResourceSlice belongs to." } }, "required": [ - "kind", - "name" + "driver", + "pool" ], - "type": "object", - "x-kubernetes-map-type": "atomic" + "type": "object" }, - "io.k8s.api.resource.v1alpha3.AllocationResult": { + "io.k8s.api.resource.v1beta1.AllocationResult": { "description": "AllocationResult contains attributes of an allocated resource.", "properties": { "devices": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationResult", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult", "description": "Devices is the result of allocating devices." }, "nodeSelector": { @@ -15605,19 +15563,19 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.BasicDevice": { + "io.k8s.api.resource.v1beta1.BasicDevice": { "description": "BasicDevice defines one device instance.", "properties": { "attributes": { "additionalProperties": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAttribute" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute" }, "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": "object" }, "capacity": { "additionalProperties": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity" }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": "object" @@ -15625,7 +15583,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.CELDeviceSelector": { + "io.k8s.api.resource.v1beta1.CELDeviceSelector": { "description": "CELDeviceSelector contains a CEL expression for selecting a device.", "properties": { "expression": { @@ -15638,11 +15596,11 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.Device": { + "io.k8s.api.resource.v1beta1.Device": { "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", "properties": { "basic": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.BasicDevice", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.BasicDevice", "description": "Basic defines one device instance." }, "name": { @@ -15655,11 +15613,11 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration": { + "io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration": { "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", "properties": { "opaque": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." }, "requests": { @@ -15680,13 +15638,13 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceAllocationResult": { + "io.k8s.api.resource.v1beta1.DeviceAllocationResult": { "description": "DeviceAllocationResult is the result of allocating devices.", "properties": { "config": { "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15694,7 +15652,7 @@ "results": { "description": "Results lists all allocated devices.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15702,7 +15660,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceAttribute": { + "io.k8s.api.resource.v1beta1.DeviceAttribute": { "description": "DeviceAttribute must have exactly one field set.", "properties": { "bool": { @@ -15725,13 +15683,26 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceClaim": { + "io.k8s.api.resource.v1beta1.DeviceCapacity": { + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity", + "description": "Value defines how much of a certain device capacity is available." + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "io.k8s.api.resource.v1beta1.DeviceClaim": { "description": "DeviceClaim defines how to request devices with a ResourceClaim.", "properties": { "config": { "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15739,7 +15710,7 @@ "constraints": { "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceConstraint" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15747,7 +15718,7 @@ "requests": { "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequest" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15755,11 +15726,11 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration": { + "io.k8s.api.resource.v1beta1.DeviceClaimConfiguration": { "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", "properties": { "opaque": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." }, "requests": { @@ -15773,7 +15744,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceClass": { + "io.k8s.api.resource.v1beta1.DeviceClass": { "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -15792,7 +15763,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec", "description": "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number." } }, @@ -15804,21 +15775,21 @@ { "group": "resource.k8s.io", "kind": "DeviceClass", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.DeviceClassConfiguration": { + "io.k8s.api.resource.v1beta1.DeviceClassConfiguration": { "description": "DeviceClassConfiguration is used in DeviceClass.", "properties": { "opaque": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." } }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceClassList": { + "io.k8s.api.resource.v1beta1.DeviceClassList": { "description": "DeviceClassList is a collection of classes.", "properties": { "apiVersion": { @@ -15828,7 +15799,7 @@ "items": { "description": "Items is the list of resource classes.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClass" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClass" }, "type": "array" }, @@ -15852,17 +15823,17 @@ { "group": "resource.k8s.io", "kind": "DeviceClassList", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.DeviceClassSpec": { + "io.k8s.api.resource.v1beta1.DeviceClassSpec": { "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", "properties": { "config": { "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassConfiguration" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15870,7 +15841,7 @@ "selectors": { "description": "Each selector must be satisfied by a device which is claimed via this class.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15878,7 +15849,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceConstraint": { + "io.k8s.api.resource.v1beta1.DeviceConstraint": { "description": "DeviceConstraint must have exactly one field set besides Requests.", "properties": { "matchAttribute": { @@ -15896,7 +15867,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceRequest": { + "io.k8s.api.resource.v1beta1.DeviceRequest": { "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", "properties": { "adminAccess": { @@ -15923,7 +15894,7 @@ "selectors": { "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15935,7 +15906,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult": { + "io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult": { "description": "DeviceRequestAllocationResult contains the allocation result for one request.", "properties": { "adminAccess": { @@ -15967,17 +15938,17 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceSelector": { + "io.k8s.api.resource.v1beta1.DeviceSelector": { "description": "DeviceSelector must have exactly one field set.", "properties": { "cel": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.CELDeviceSelector", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector", "description": "CEL contains a CEL expression for selecting a device." } }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration": { + "io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration": { "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", "properties": { "driver": { @@ -15986,7 +15957,7 @@ }, "parameters": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", - "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions." + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." } }, "required": [ @@ -15995,7 +15966,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceClaim": { + "io.k8s.api.resource.v1beta1.ResourceClaim": { "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16014,11 +15985,11 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", "description": "Spec describes what is being requested and how to configure it. The spec is immutable." }, "status": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimStatus", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus", "description": "Status describes whether the claim is ready to use and what has been allocated." } }, @@ -16030,11 +16001,11 @@ { "group": "resource.k8s.io", "kind": "ResourceClaim", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference": { + "io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference": { "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", "properties": { "apiGroup": { @@ -16061,7 +16032,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceClaimList": { + "io.k8s.api.resource.v1beta1.ResourceClaimList": { "description": "ResourceClaimList is a collection of claims.", "properties": { "apiVersion": { @@ -16071,7 +16042,7 @@ "items": { "description": "Items is the list of resource claims.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaim" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim" }, "type": "array" }, @@ -16095,31 +16066,31 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimList", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceClaimSpec": { + "io.k8s.api.resource.v1beta1.ResourceClaimSpec": { "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", "properties": { "devices": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaim", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim", "description": "Devices defines how to request devices." } }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceClaimStatus": { + "io.k8s.api.resource.v1beta1.ResourceClaimStatus": { "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", "properties": { "allocation": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.AllocationResult", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.AllocationResult", "description": "Allocation is set once the claim has been allocated successfully." }, "reservedFor": { "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference" }, "type": "array", "x-kubernetes-list-map-keys": [ @@ -16132,7 +16103,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceClaimTemplate": { + "io.k8s.api.resource.v1beta1.ResourceClaimTemplate": { "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16151,7 +16122,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec", "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore." } }, @@ -16163,11 +16134,11 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplate", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateList": { + "io.k8s.api.resource.v1beta1.ResourceClaimTemplateList": { "description": "ResourceClaimTemplateList is a collection of claim templates.", "properties": { "apiVersion": { @@ -16177,7 +16148,7 @@ "items": { "description": "Items is the list of resource claim templates.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplate" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate" }, "type": "array" }, @@ -16201,11 +16172,11 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplateList", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec": { + "io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec": { "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", "properties": { "metadata": { @@ -16213,7 +16184,7 @@ "description": "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation." }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here." } }, @@ -16222,7 +16193,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourcePool": { + "io.k8s.api.resource.v1beta1.ResourcePool": { "description": "ResourcePool describes the pool that ResourceSlices belong to.", "properties": { "generation": { @@ -16247,7 +16218,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceSlice": { + "io.k8s.api.resource.v1beta1.ResourceSlice": { "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16266,7 +16237,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec", "description": "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number." } }, @@ -16278,11 +16249,11 @@ { "group": "resource.k8s.io", "kind": "ResourceSlice", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceSliceList": { + "io.k8s.api.resource.v1beta1.ResourceSliceList": { "description": "ResourceSliceList is a collection of ResourceSlices.", "properties": { "apiVersion": { @@ -16292,7 +16263,7 @@ "items": { "description": "Items is the list of resource ResourceSlices.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSlice" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice" }, "type": "array" }, @@ -16316,11 +16287,11 @@ { "group": "resource.k8s.io", "kind": "ResourceSliceList", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceSliceSpec": { + "io.k8s.api.resource.v1beta1.ResourceSliceSpec": { "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", "properties": { "allNodes": { @@ -16330,7 +16301,7 @@ "devices": { "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.Device" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.Device" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -16348,7 +16319,7 @@ "description": "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set." }, "pool": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourcePool", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourcePool", "description": "Pool describes the pool that this ResourceSlice belongs to." } }, @@ -18698,6 +18669,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", @@ -19448,6 +19424,11 @@ "kind": "WatchEvent", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "WatchEvent", diff --git a/master-standalone/all.json b/master-standalone/all.json index 7479d816261e4a8a88236c2a3aa5f261f633173a..cd8edfc51f4517d4bd8d8e6b3ef7ce87ec9ce19d 100644 --- a/master-standalone/all.json +++ b/master-standalone/all.json @@ -79,10 +79,10 @@ "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1.WebhookClientConfig" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.JSONPatch" }, { "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" @@ -91,40 +91,34 @@ "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.TypeChecking" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingList" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingList" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyList" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyList" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Mutation" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind" }, { - "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Validation" + "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef" }, { "$ref": "_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" @@ -318,12 +312,6 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1.UserInfo" }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReview" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus" - }, { "$ref": "_definitions.json#/definitions/io.k8s.api.authentication.v1beta1.SelfSubjectReview" }, @@ -537,15 +525,6 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestStatus" }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleList" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec" - }, { "$ref": "_definitions.json#/definitions/io.k8s.api.coordination.v1.Lease" }, @@ -1296,75 +1275,6 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.UserSubject" }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaList" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.GroupSubject" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationList" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject" - }, - { - "$ref": "_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.UserSubject" - }, { "$ref": "_definitions.json#/definitions/io.k8s.api.networking.v1.HTTPIngressPath" }, @@ -1620,6 +1530,99 @@ { "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec" }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.AllocationResult" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.BasicDevice" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.Device" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClass" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassList" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimList" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateList" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourcePool" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceList" + }, + { + "$ref": "_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec" + }, { "$ref": "_definitions.json#/definitions/io.k8s.api.scheduling.v1.PriorityClass" }, diff --git a/master-standalone/allocationresult-resource-v1beta1.json b/master-standalone/allocationresult-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..d268d4e2b36330683cab5912be20944061242e5d --- /dev/null +++ b/master-standalone/allocationresult-resource-v1beta1.json @@ -0,0 +1,235 @@ +{ + "description": "AllocationResult contains attributes of an allocated resource.", + "properties": { + "devices": { + "description": "DeviceAllocationResult is the result of allocating devices.", + "properties": { + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" + } + }, + "required": [ + "source" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results lists all allocated devices.", + "items": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "nodeSelectorTerms" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/applyconfiguration-admissionregistration-v1alpha1.json b/master-standalone/applyconfiguration-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..e0c6042828baab111248e45cb145a26ecd361b55 --- /dev/null +++ b/master-standalone/applyconfiguration-admissionregistration-v1alpha1.json @@ -0,0 +1,14 @@ +{ + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/applyconfiguration.json b/master-standalone/applyconfiguration.json new file mode 100644 index 0000000000000000000000000000000000000000..e0c6042828baab111248e45cb145a26ecd361b55 --- /dev/null +++ b/master-standalone/applyconfiguration.json @@ -0,0 +1,14 @@ +{ + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/auditannotation-admissionregistration-v1alpha1.json b/master-standalone/auditannotation-admissionregistration-v1alpha1.json deleted file mode 100644 index a6d3ffb05ea62d6d3dc68565b78d718f67fb77ac..0000000000000000000000000000000000000000 --- a/master-standalone/auditannotation-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": [ - "string", - "null" - ] - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "key", - "valueExpression" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/basicdevice-resource-v1beta1.json b/master-standalone/basicdevice-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..b480acdb24691596b409b368fcd5f60878ee4503 --- /dev/null +++ b/master-standalone/basicdevice-resource-v1beta1.json @@ -0,0 +1,87 @@ +{ + "description": "BasicDevice defines one device instance.", + "properties": { + "attributes": { + "additionalProperties": { + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + }, + "capacity": { + "additionalProperties": { + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] + } + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" + ] + }, + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/basicdevice.json b/master-standalone/basicdevice.json index 5ef013a85a9454d6573ff20258190cb8dde8952c..b480acdb24691596b409b368fcd5f60878ee4503 100644 --- a/master-standalone/basicdevice.json +++ b/master-standalone/basicdevice.json @@ -48,19 +48,31 @@ }, "capacity": { "additionalProperties": { - "oneOf": [ - { - "type": [ - "string", - "null" - ] - }, - { - "type": [ - "number", - "null" + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } ] } + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" ] }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", diff --git a/master-standalone/celdeviceselector-resource-v1beta1.json b/master-standalone/celdeviceselector-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..b63da15344f67f3be1538b3844af870028bb3d2b --- /dev/null +++ b/master-standalone/celdeviceselector-resource-v1beta1.json @@ -0,0 +1,17 @@ +{ + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "expression" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/clustertrustbundle-certificates-v1alpha1.json b/master-standalone/clustertrustbundle-certificates-v1alpha1.json deleted file mode 100644 index 9481a01076811e90eaccf40165446a6e9d8d2b7a..0000000000000000000000000000000000000000 --- a/master-standalone/clustertrustbundle-certificates-v1alpha1.json +++ /dev/null @@ -1,310 +0,0 @@ -{ - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "certificates.k8s.io/v1alpha1" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", - "properties": { - "annotations": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", - "type": [ - "object", - "null" - ] - }, - "creationTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "deletionGracePeriodSeconds": { - "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "deletionTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "finalizers": { - "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set", - "x-kubernetes-patch-strategy": "merge" - }, - "generateName": { - "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", - "type": [ - "string", - "null" - ] - }, - "generation": { - "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "labels": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", - "type": [ - "object", - "null" - ] - }, - "managedFields": { - "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", - "items": { - "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", - "type": [ - "string", - "null" - ] - }, - "fieldsType": { - "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", - "type": [ - "string", - "null" - ] - }, - "fieldsV1": { - "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", - "type": [ - "object", - "null" - ] - }, - "manager": { - "description": "Manager is an identifier of the workflow managing these fields.", - "type": [ - "string", - "null" - ] - }, - "operation": { - "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", - "type": [ - "string", - "null" - ] - }, - "subresource": { - "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", - "type": [ - "string", - "null" - ] - }, - "time": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "name": { - "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": [ - "string", - "null" - ] - }, - "namespace": { - "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", - "type": [ - "string", - "null" - ] - }, - "ownerReferences": { - "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", - "items": { - "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", - "properties": { - "apiVersion": { - "description": "API version of the referent.", - "type": "string" - }, - "blockOwnerDeletion": { - "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", - "type": [ - "boolean", - "null" - ] - }, - "controller": { - "description": "If true, this reference points to the managing controller.", - "type": [ - "boolean", - "null" - ] - }, - "kind": { - "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "name": { - "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": "string" - }, - "uid": { - "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": "string" - } - }, - "required": [ - "apiVersion", - "kind", - "name", - "uid" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-map-type": "atomic" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "uid" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "uid", - "x-kubernetes-patch-strategy": "merge" - }, - "resourceVersion": { - "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": [ - "string", - "null" - ] - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": [ - "string", - "null" - ] - }, - "uid": { - "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "spec": { - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": "string" - } - }, - "required": [ - "trustBundle" - ], - "type": [ - "object", - "null" - ] - } - }, - "required": [ - "spec" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/clustertrustbundle.json b/master-standalone/clustertrustbundle.json deleted file mode 100644 index aab33f950a8f7fa003c386dc2da42212a7ca931d..0000000000000000000000000000000000000000 --- a/master-standalone/clustertrustbundle.json +++ /dev/null @@ -1,307 +0,0 @@ -{ - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", - "properties": { - "annotations": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", - "type": [ - "object", - "null" - ] - }, - "creationTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "deletionGracePeriodSeconds": { - "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "deletionTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "finalizers": { - "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set", - "x-kubernetes-patch-strategy": "merge" - }, - "generateName": { - "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", - "type": [ - "string", - "null" - ] - }, - "generation": { - "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "labels": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", - "type": [ - "object", - "null" - ] - }, - "managedFields": { - "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", - "items": { - "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", - "type": [ - "string", - "null" - ] - }, - "fieldsType": { - "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", - "type": [ - "string", - "null" - ] - }, - "fieldsV1": { - "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", - "type": [ - "object", - "null" - ] - }, - "manager": { - "description": "Manager is an identifier of the workflow managing these fields.", - "type": [ - "string", - "null" - ] - }, - "operation": { - "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", - "type": [ - "string", - "null" - ] - }, - "subresource": { - "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", - "type": [ - "string", - "null" - ] - }, - "time": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "name": { - "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": [ - "string", - "null" - ] - }, - "namespace": { - "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", - "type": [ - "string", - "null" - ] - }, - "ownerReferences": { - "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", - "items": { - "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", - "properties": { - "apiVersion": { - "description": "API version of the referent.", - "type": "string" - }, - "blockOwnerDeletion": { - "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", - "type": [ - "boolean", - "null" - ] - }, - "controller": { - "description": "If true, this reference points to the managing controller.", - "type": [ - "boolean", - "null" - ] - }, - "kind": { - "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "name": { - "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": "string" - }, - "uid": { - "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": "string" - } - }, - "required": [ - "apiVersion", - "kind", - "name", - "uid" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-map-type": "atomic" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "uid" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "uid", - "x-kubernetes-patch-strategy": "merge" - }, - "resourceVersion": { - "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": [ - "string", - "null" - ] - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": [ - "string", - "null" - ] - }, - "uid": { - "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "spec": { - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": "string" - } - }, - "required": [ - "trustBundle" - ], - "type": [ - "object", - "null" - ] - } - }, - "required": [ - "spec" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/clustertrustbundlelist.json b/master-standalone/clustertrustbundlelist.json deleted file mode 100644 index 3c884a5bebaf909848d99a3f4169fbefa18ba462..0000000000000000000000000000000000000000 --- a/master-standalone/clustertrustbundlelist.json +++ /dev/null @@ -1,385 +0,0 @@ -{ - "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ] - }, - "items": { - "description": "items is a collection of ClusterTrustBundle objects", - "items": { - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", - "properties": { - "annotations": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", - "type": [ - "object", - "null" - ] - }, - "creationTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "deletionGracePeriodSeconds": { - "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "deletionTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "finalizers": { - "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set", - "x-kubernetes-patch-strategy": "merge" - }, - "generateName": { - "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", - "type": [ - "string", - "null" - ] - }, - "generation": { - "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "labels": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", - "type": [ - "object", - "null" - ] - }, - "managedFields": { - "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", - "items": { - "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", - "type": [ - "string", - "null" - ] - }, - "fieldsType": { - "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", - "type": [ - "string", - "null" - ] - }, - "fieldsV1": { - "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", - "type": [ - "object", - "null" - ] - }, - "manager": { - "description": "Manager is an identifier of the workflow managing these fields.", - "type": [ - "string", - "null" - ] - }, - "operation": { - "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", - "type": [ - "string", - "null" - ] - }, - "subresource": { - "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", - "type": [ - "string", - "null" - ] - }, - "time": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "name": { - "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": [ - "string", - "null" - ] - }, - "namespace": { - "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", - "type": [ - "string", - "null" - ] - }, - "ownerReferences": { - "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", - "items": { - "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", - "properties": { - "apiVersion": { - "description": "API version of the referent.", - "type": "string" - }, - "blockOwnerDeletion": { - "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", - "type": [ - "boolean", - "null" - ] - }, - "controller": { - "description": "If true, this reference points to the managing controller.", - "type": [ - "boolean", - "null" - ] - }, - "kind": { - "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "name": { - "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": "string" - }, - "uid": { - "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": "string" - } - }, - "required": [ - "apiVersion", - "kind", - "name", - "uid" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-map-type": "atomic" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "uid" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "uid", - "x-kubernetes-patch-strategy": "merge" - }, - "resourceVersion": { - "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": [ - "string", - "null" - ] - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": [ - "string", - "null" - ] - }, - "uid": { - "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "spec": { - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": "string" - } - }, - "required": [ - "trustBundle" - ], - "type": "object" - } - }, - "required": [ - "spec" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ] - }, - "type": [ - "array", - "null" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "ClusterTrustBundleList" - ] - }, - "metadata": { - "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", - "properties": { - "continue": { - "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", - "type": [ - "string", - "null" - ] - }, - "remainingItemCount": { - "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "resourceVersion": { - "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": [ - "string", - "null" - ] - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - } - }, - "required": [ - "items" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundleList", - "version": "v1alpha1" - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/clustertrustbundlespec-certificates-v1alpha1.json b/master-standalone/clustertrustbundlespec-certificates-v1alpha1.json deleted file mode 100644 index 22831e1f32c81ea493f1c9fed529a7fa18df2050..0000000000000000000000000000000000000000 --- a/master-standalone/clustertrustbundlespec-certificates-v1alpha1.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "trustBundle" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/clustertrustbundlespec.json b/master-standalone/clustertrustbundlespec.json deleted file mode 100644 index 22831e1f32c81ea493f1c9fed529a7fa18df2050..0000000000000000000000000000000000000000 --- a/master-standalone/clustertrustbundlespec.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "trustBundle" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/csipersistentvolumesource-v1.json b/master-standalone/csipersistentvolumesource-v1.json index 643b1a3cc57fc777244412b3eff574cdaa33280d..35f4c6dbeedb2c307074526fed4a0ca8a1c83f58 100644 --- a/master-standalone/csipersistentvolumesource-v1.json +++ b/master-standalone/csipersistentvolumesource-v1.json @@ -1,5 +1,5 @@ { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", diff --git a/master-standalone/csipersistentvolumesource.json b/master-standalone/csipersistentvolumesource.json index 643b1a3cc57fc777244412b3eff574cdaa33280d..35f4c6dbeedb2c307074526fed4a0ca8a1c83f58 100644 --- a/master-standalone/csipersistentvolumesource.json +++ b/master-standalone/csipersistentvolumesource.json @@ -1,5 +1,5 @@ { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", diff --git a/master-standalone/deleteoptions-meta-v1.json b/master-standalone/deleteoptions-meta-v1.json index 7e0be433926b73eeff4f228e2cdaf48a3c47db07..ca97c544e6266f226f56824851836b5310a605d5 100644 --- a/master-standalone/deleteoptions-meta-v1.json +++ b/master-standalone/deleteoptions-meta-v1.json @@ -61,6 +61,7 @@ "rbac.authorization.k8s.io/v1alpha1", "rbac.authorization.k8s.io/v1beta1", "resource.k8s.io/v1alpha3", + "resource.k8s.io/v1beta1", "scheduling.k8s.io/v1", "scheduling.k8s.io/v1alpha1", "scheduling.k8s.io/v1beta1", @@ -407,6 +408,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", diff --git a/master-standalone/deleteoptions.json b/master-standalone/deleteoptions.json index c420f31b573bfc76a8151be56ff29dcc2b0d3c0a..6412da8106ad340a387c4e2e352e98a16f36d9a8 100644 --- a/master-standalone/deleteoptions.json +++ b/master-standalone/deleteoptions.json @@ -345,6 +345,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", diff --git a/master-standalone/device-resource-v1beta1.json b/master-standalone/device-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..4d46cd172b833b1bb483cb9387dd84f3a91891ed --- /dev/null +++ b/master-standalone/device-resource-v1beta1.json @@ -0,0 +1,106 @@ +{ + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", + "properties": { + "basic": { + "description": "BasicDevice defines one device instance.", + "properties": { + "attributes": { + "additionalProperties": { + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + }, + "capacity": { + "additionalProperties": { + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] + } + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" + ] + }, + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "name" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/device.json b/master-standalone/device.json index 7639f3f2f2998b6a48ba82c79b50f2920eeb04ed..4d46cd172b833b1bb483cb9387dd84f3a91891ed 100644 --- a/master-standalone/device.json +++ b/master-standalone/device.json @@ -51,19 +51,31 @@ }, "capacity": { "additionalProperties": { - "oneOf": [ - { - "type": [ - "string", - "null" - ] - }, - { - "type": [ - "number", - "null" + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } ] } + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" ] }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", diff --git a/master-standalone/deviceallocationconfiguration-resource-v1beta1.json b/master-standalone/deviceallocationconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..4dc002d7859a3d5d7ac5400ab5ced5197b9e1838 --- /dev/null +++ b/master-standalone/deviceallocationconfiguration-resource-v1beta1.json @@ -0,0 +1,52 @@ +{ + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "source" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/deviceallocationresult-resource-v1beta1.json b/master-standalone/deviceallocationresult-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..291cd74333b9fcbc54c63ab66bbea6c8ce5dbcb6 --- /dev/null +++ b/master-standalone/deviceallocationresult-resource-v1beta1.json @@ -0,0 +1,112 @@ +{ + "description": "DeviceAllocationResult is the result of allocating devices.", + "properties": { + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" + } + }, + "required": [ + "source" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results lists all allocated devices.", + "items": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/deviceattribute-resource-v1beta1.json b/master-standalone/deviceattribute-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..4ad000a165e9001a20e6cac6594729d56207f765 --- /dev/null +++ b/master-standalone/deviceattribute-resource-v1beta1.json @@ -0,0 +1,36 @@ +{ + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/devicecapacity-resource-v1beta1.json b/master-standalone/devicecapacity-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..7116bad2351593c80382b7c68c4a5e8b4d467358 --- /dev/null +++ b/master-standalone/devicecapacity-resource-v1beta1.json @@ -0,0 +1,26 @@ +{ + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] + } + }, + "required": [ + "value" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/devicecapacity.json b/master-standalone/devicecapacity.json new file mode 100644 index 0000000000000000000000000000000000000000..7116bad2351593c80382b7c68c4a5e8b4d467358 --- /dev/null +++ b/master-standalone/devicecapacity.json @@ -0,0 +1,26 @@ +{ + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] + } + }, + "required": [ + "value" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/deviceclaim-resource-v1beta1.json b/master-standalone/deviceclaim-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..178f8fd487324f029876653a236c8a3e347e8bc7 --- /dev/null +++ b/master-standalone/deviceclaim-resource-v1beta1.json @@ -0,0 +1,181 @@ +{ + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/deviceclaimconfiguration-resource-v1beta1.json b/master-standalone/deviceclaimconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..2e259099ca75b07c6f8e06782caf4d93d21b06f3 --- /dev/null +++ b/master-standalone/deviceclaimconfiguration-resource-v1beta1.json @@ -0,0 +1,42 @@ +{ + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/selfsubjectreview-authentication-v1alpha1.json b/master-standalone/deviceclass-resource-v1beta1.json similarity index 69% rename from master-standalone/selfsubjectreview-authentication-v1alpha1.json rename to master-standalone/deviceclass-resource-v1beta1.json index 019df71031f5c39d1a8700b1557eec1b4a0aa7ba..d8fbcf565e4ebe076ee01aa3e7017cb12620d929 100644 --- a/master-standalone/selfsubjectreview-authentication-v1alpha1.json +++ b/master-standalone/deviceclass-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", + "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,7 +8,7 @@ "null" ], "enum": [ - "authentication.k8s.io/v1alpha1" + "resource.k8s.io/v1beta1" ] }, "kind": { @@ -18,7 +18,7 @@ "null" ], "enum": [ - "SelfSubjectReview" + "DeviceClass" ] }, "metadata": { @@ -271,64 +271,79 @@ "null" ] }, - "status": { - "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", + "spec": { + "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", "properties": { - "userInfo": { - "description": "UserInfo holds the information about the user needed to implement the user.Info interface.", - "properties": { - "extra": { - "additionalProperties": { - "items": { - "type": [ - "string", - "null" - ] + "config": { + "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", + "items": { + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } }, + "required": [ + "driver", + "parameters" + ], "type": [ - "array", + "object", "null" ] - }, - "description": "Any additional information provided by the authenticator.", - "type": [ - "object", - "null" - ] + } }, - "groups": { - "description": "The names of groups this user is a part of.", - "items": { + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "selectors": { + "description": "Each selector must be satisfied by a device which is claimed via this class.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], "type": [ - "string", + "object", "null" ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "uid": { - "description": "A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.", - "type": [ - "string", - "null" - ] + } }, - "username": { - "description": "The name that uniquely identifies this user among all active users.", - "type": [ - "string", - "null" - ] - } + "type": [ + "object", + "null" + ] }, "type": [ - "object", + "array", "null" - ] + ], + "x-kubernetes-list-type": "atomic" } }, "type": [ @@ -337,12 +352,15 @@ ] } }, + "required": [ + "spec" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "authentication.k8s.io", - "kind": "SelfSubjectReview", - "version": "v1alpha1" + "group": "resource.k8s.io", + "kind": "DeviceClass", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/deviceclass.json b/master-standalone/deviceclass.json index bbbbd099fbb1abf8af26ed9914f99e568cae49d3..744c601864ad5af242305ff360f19de8d917e61e 100644 --- a/master-standalone/deviceclass.json +++ b/master-standalone/deviceclass.json @@ -357,7 +357,7 @@ { "group": "resource.k8s.io", "kind": "DeviceClass", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/deviceclassconfiguration-resource-v1beta1.json b/master-standalone/deviceclassconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..144857aaadbe6a852eafcb56a162b0e1d3e2bde4 --- /dev/null +++ b/master-standalone/deviceclassconfiguration-resource-v1beta1.json @@ -0,0 +1,28 @@ +{ + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/clustertrustbundlelist-certificates-v1alpha1.json b/master-standalone/deviceclasslist-resource-v1beta1.json similarity index 72% rename from master-standalone/clustertrustbundlelist-certificates-v1alpha1.json rename to master-standalone/deviceclasslist-resource-v1beta1.json index 10d836ef470deaf63dabc5c17b4727b62e00abc7..c9fde75acdb046878b74557efc1555a23e755cf8 100644 --- a/master-standalone/clustertrustbundlelist-certificates-v1alpha1.json +++ b/master-standalone/deviceclasslist-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects", + "description": "DeviceClassList is a collection of classes.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,13 +8,13 @@ "null" ], "enum": [ - "certificates.k8s.io/v1alpha1" + "resource.k8s.io/v1beta1" ] }, "items": { - "description": "items is a collection of ClusterTrustBundle objects", + "description": "Items is the list of resource classes.", "items": { - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", + "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -23,7 +23,7 @@ "null" ], "enum": [ - "certificates.k8s.io/v1alpha1" + "resource.k8s.io/v1beta1" ] }, "kind": { @@ -33,7 +33,7 @@ "null" ], "enum": [ - "ClusterTrustBundle" + "DeviceClass" ] }, "metadata": { @@ -287,23 +287,80 @@ ] }, "spec": { - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", + "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", + "config": { + "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", + "items": { + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, "type": [ - "string", + "array", "null" - ] + ], + "x-kubernetes-list-type": "atomic" }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": "string" + "selectors": { + "description": "Each selector must be satisfied by a device which is claimed via this class.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" } }, - "required": [ - "trustBundle" - ], "type": "object" } }, @@ -316,9 +373,9 @@ ], "x-kubernetes-group-version-kind": [ { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" + "group": "resource.k8s.io", + "kind": "DeviceClass", + "version": "v1beta1" } ] }, @@ -334,7 +391,7 @@ "null" ], "enum": [ - "ClusterTrustBundleList" + "DeviceClassList" ] }, "metadata": { @@ -382,9 +439,9 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundleList", - "version": "v1alpha1" + "group": "resource.k8s.io", + "kind": "DeviceClassList", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/deviceclasslist.json b/master-standalone/deviceclasslist.json index 7ac2e525c721e9d653c97a091168ce64ee49cddd..d0d7302b94c4e136c1f6b1cb78aea88dc35cfe28 100644 --- a/master-standalone/deviceclasslist.json +++ b/master-standalone/deviceclasslist.json @@ -369,7 +369,7 @@ { "group": "resource.k8s.io", "kind": "DeviceClass", - "version": "v1alpha3" + "version": "v1beta1" } ] }, @@ -435,7 +435,7 @@ { "group": "resource.k8s.io", "kind": "DeviceClassList", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/deviceclassspec-resource-v1beta1.json b/master-standalone/deviceclassspec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..02f531dec73bc179800a9542bc24bd5e4ad2354c --- /dev/null +++ b/master-standalone/deviceclassspec-resource-v1beta1.json @@ -0,0 +1,78 @@ +{ + "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", + "properties": { + "config": { + "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", + "items": { + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "selectors": { + "description": "Each selector must be satisfied by a device which is claimed via this class.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/deviceconstraint-resource-v1beta1.json b/master-standalone/deviceconstraint-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..e3879d2e719c84058823b89f38910ee3b08c1216 --- /dev/null +++ b/master-standalone/deviceconstraint-resource-v1beta1.json @@ -0,0 +1,28 @@ +{ + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/devicerequest-resource-v1beta1.json b/master-standalone/devicerequest-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..af343f8f5aaa7fd7ec7b339a79d860b7dbf5a762 --- /dev/null +++ b/master-standalone/devicerequest-resource-v1beta1.json @@ -0,0 +1,80 @@ +{ + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": [ + "string", + "null" + ] + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/devicerequestallocationresult-resource-v1beta1.json b/master-standalone/devicerequestallocationresult-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..ca4bcaefa2c9456976d8bf9ae0897e39c5c7b162 --- /dev/null +++ b/master-standalone/devicerequestallocationresult-resource-v1beta1.json @@ -0,0 +1,48 @@ +{ + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": [ + "string", + "null" + ] + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": [ + "string", + "null" + ] + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": [ + "string", + "null" + ] + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/deviceselector-resource-v1beta1.json b/master-standalone/deviceselector-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..967ca065380db5f8da553aa16e65b5066161b8ed --- /dev/null +++ b/master-standalone/deviceselector-resource-v1beta1.json @@ -0,0 +1,23 @@ +{ + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/eviction-policy-v1.json b/master-standalone/eviction-policy-v1.json index 879c4195029ba7447454c114b8b9cd0992ad9f61..7959875488a2ffe90c2aa8088f13d6873572f7fa 100644 --- a/master-standalone/eviction-policy-v1.json +++ b/master-standalone/eviction-policy-v1.json @@ -74,6 +74,7 @@ "rbac.authorization.k8s.io/v1alpha1", "rbac.authorization.k8s.io/v1beta1", "resource.k8s.io/v1alpha3", + "resource.k8s.io/v1beta1", "scheduling.k8s.io/v1", "scheduling.k8s.io/v1alpha1", "scheduling.k8s.io/v1beta1", @@ -423,6 +424,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", diff --git a/master-standalone/eviction.json b/master-standalone/eviction.json index afeb7aff4b30947b3733e51c3d74a1255133f2ea..3a615d67d908a5147b4962e08e0e11721a67c500 100644 --- a/master-standalone/eviction.json +++ b/master-standalone/eviction.json @@ -358,6 +358,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", diff --git a/master-standalone/exemptprioritylevelconfiguration-flowcontrol-v1beta3.json b/master-standalone/exemptprioritylevelconfiguration-flowcontrol-v1beta3.json deleted file mode 100644 index 81bb3cf58b7ca02bfdc6c87be349a9b13447dae4..0000000000000000000000000000000000000000 --- a/master-standalone/exemptprioritylevelconfiguration-flowcontrol-v1beta3.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", - "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/expressionwarning-admissionregistration-v1alpha1.json b/master-standalone/expressionwarning-admissionregistration-v1alpha1.json deleted file mode 100644 index 664f5a5f3e35b2f7ed032d25efed3aa49ef48f18..0000000000000000000000000000000000000000 --- a/master-standalone/expressionwarning-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "ExpressionWarning is a warning information that targets a specific expression.", - "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": [ - "string", - "null" - ] - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "fieldRef", - "warning" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/flowdistinguishermethod-flowcontrol-v1beta3.json b/master-standalone/flowdistinguishermethod-flowcontrol-v1beta3.json deleted file mode 100644 index dc443d094426da52a85528f20f79fd84ca9b683b..0000000000000000000000000000000000000000 --- a/master-standalone/flowdistinguishermethod-flowcontrol-v1beta3.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", - "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "type" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/flowschema.json b/master-standalone/flowschema.json index 63ba4fe89e97d60a9f6b00715e805d018f32d7a5..38a0dbed7a68bc4c451968b6334212420fc3aa53 100644 --- a/master-standalone/flowschema.json +++ b/master-standalone/flowschema.json @@ -613,7 +613,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "FlowSchema", - "version": "v1beta3" + "version": "v1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/flowschemacondition-flowcontrol-v1beta3.json b/master-standalone/flowschemacondition-flowcontrol-v1beta3.json deleted file mode 100644 index 353153a70c594ae6b1c820f9ff799a8b0b584f28..0000000000000000000000000000000000000000 --- a/master-standalone/flowschemacondition-flowcontrol-v1beta3.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/flowschemalist.json b/master-standalone/flowschemalist.json index 8d5f33a011823a0b3e7d8832abc1cea38beb3cb1..209aed13bc17d722bdf24468b63eaf1256f67201 100644 --- a/master-standalone/flowschemalist.json +++ b/master-standalone/flowschemalist.json @@ -628,7 +628,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "FlowSchema", - "version": "v1beta3" + "version": "v1" } ] }, @@ -694,7 +694,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "FlowSchemaList", - "version": "v1beta3" + "version": "v1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/flowschemaspec-flowcontrol-v1beta3.json b/master-standalone/flowschemaspec-flowcontrol-v1beta3.json deleted file mode 100644 index 8729fbd22ab0c11e09efa3ce367ef4e19684bcd7..0000000000000000000000000000000000000000 --- a/master-standalone/flowschemaspec-flowcontrol-v1beta3.json +++ /dev/null @@ -1,273 +0,0 @@ -{ - "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", - "properties": { - "distinguisherMethod": { - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", - "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ] - }, - "matchingPrecedence": { - "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "priorityLevelConfiguration": { - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", - "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ] - }, - "rules": { - "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", - "items": { - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", - "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", - "items": { - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", - "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "nonResourceURLs" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", - "items": { - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", - "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": [ - "boolean", - "null" - ] - }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "apiGroups", - "resources" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", - "items": { - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", - "properties": { - "group": { - "description": "GroupSubject holds detailed information for group-kind subject.", - "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ] - }, - "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": "string" - }, - "serviceAccount": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", - "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", - "type": "string" - }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": "string" - } - }, - "required": [ - "namespace", - "name" - ], - "type": [ - "object", - "null" - ] - }, - "user": { - "description": "UserSubject holds detailed information for user-kind subject.", - "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ] - } - }, - "required": [ - "kind" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } - } - ] - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "subjects" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "priorityLevelConfiguration" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/flowschemastatus-flowcontrol-v1beta3.json b/master-standalone/flowschemastatus-flowcontrol-v1beta3.json deleted file mode 100644 index 206cc623428c89222eaeac1df84367ec4441d736..0000000000000000000000000000000000000000 --- a/master-standalone/flowschemastatus-flowcontrol-v1beta3.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "description": "FlowSchemaStatus represents the current state of a FlowSchema.", - "properties": { - "conditions": { - "description": "`conditions` is a list of the current states of FlowSchema.", - "items": { - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/groupsubject-flowcontrol-v1beta3.json b/master-standalone/groupsubject-flowcontrol-v1beta3.json deleted file mode 100644 index 421ca76742afe3dfcb7f5d27e52250cc2fbc7e5c..0000000000000000000000000000000000000000 --- a/master-standalone/groupsubject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "GroupSubject holds detailed information for group-kind subject.", - "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "name" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/horizontalpodautoscaler-autoscaling-v2.json b/master-standalone/horizontalpodautoscaler-autoscaling-v2.json index 892751508c0c950f3c0ceb08ded89e543e65e50c..0e582b27e546faa5323099e40d8b906f028fbcfe 100644 --- a/master-standalone/horizontalpodautoscaler-autoscaling-v2.json +++ b/master-standalone/horizontalpodautoscaler-autoscaling-v2.json @@ -1020,7 +1020,7 @@ ] }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, @@ -1717,7 +1717,7 @@ ] }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone/horizontalpodautoscaler.json b/master-standalone/horizontalpodautoscaler.json index 64acf19add4a4d7712e9195feb03815251e69cd4..18261ef78084dd74b80b6de018834779bb69bac7 100644 --- a/master-standalone/horizontalpodautoscaler.json +++ b/master-standalone/horizontalpodautoscaler.json @@ -1017,7 +1017,7 @@ ] }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, @@ -1714,7 +1714,7 @@ ] }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone/horizontalpodautoscalerlist-autoscaling-v2.json b/master-standalone/horizontalpodautoscalerlist-autoscaling-v2.json index f46223f5a8cb3cd9c928b164a2aa8ca98602eca1..29c843fa934ec49e033d4f064f9068a59cd09fa2 100644 --- a/master-standalone/horizontalpodautoscalerlist-autoscaling-v2.json +++ b/master-standalone/horizontalpodautoscalerlist-autoscaling-v2.json @@ -1035,7 +1035,7 @@ ] }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, @@ -1732,7 +1732,7 @@ ] }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone/horizontalpodautoscalerlist.json b/master-standalone/horizontalpodautoscalerlist.json index 38c41964209cce81c75c736fc2b8d082d168e27c..6bdf9f1b08a2ed72ca7539e47fcf3856ff3baab0 100644 --- a/master-standalone/horizontalpodautoscalerlist.json +++ b/master-standalone/horizontalpodautoscalerlist.json @@ -1029,7 +1029,7 @@ ] }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, @@ -1726,7 +1726,7 @@ ] }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone/horizontalpodautoscalerspec-autoscaling-v2.json b/master-standalone/horizontalpodautoscalerspec-autoscaling-v2.json index ed6276c83d6037fd12fbc1ae1b53cf5589fbe670..fc89f006ad71c449b293006f4e832677665b6ef7 100644 --- a/master-standalone/horizontalpodautoscalerspec-autoscaling-v2.json +++ b/master-standalone/horizontalpodautoscalerspec-autoscaling-v2.json @@ -750,7 +750,7 @@ ] }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone/horizontalpodautoscalerspec.json b/master-standalone/horizontalpodautoscalerspec.json index ed6276c83d6037fd12fbc1ae1b53cf5589fbe670..fc89f006ad71c449b293006f4e832677665b6ef7 100644 --- a/master-standalone/horizontalpodautoscalerspec.json +++ b/master-standalone/horizontalpodautoscalerspec.json @@ -750,7 +750,7 @@ ] }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone/horizontalpodautoscalerstatus-autoscaling-v2.json b/master-standalone/horizontalpodautoscalerstatus-autoscaling-v2.json index d0edd69f95b7e32931691ce980d25ad31a2379b2..e58f28a51a6b574d44bd2135a5cb6cc9ae0f107c 100644 --- a/master-standalone/horizontalpodautoscalerstatus-autoscaling-v2.json +++ b/master-standalone/horizontalpodautoscalerstatus-autoscaling-v2.json @@ -634,7 +634,7 @@ ] }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone/horizontalpodautoscalerstatus.json b/master-standalone/horizontalpodautoscalerstatus.json index d0edd69f95b7e32931691ce980d25ad31a2379b2..e58f28a51a6b574d44bd2135a5cb6cc9ae0f107c 100644 --- a/master-standalone/horizontalpodautoscalerstatus.json +++ b/master-standalone/horizontalpodautoscalerstatus.json @@ -634,7 +634,7 @@ ] }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, diff --git a/master-standalone/jsonpatch-admissionregistration-v1alpha1.json b/master-standalone/jsonpatch-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..dbb808eff66aba537fc80dd4d4348517aabc83e0 --- /dev/null +++ b/master-standalone/jsonpatch-admissionregistration-v1alpha1.json @@ -0,0 +1,14 @@ +{ + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/jsonpatch.json b/master-standalone/jsonpatch.json new file mode 100644 index 0000000000000000000000000000000000000000..dbb808eff66aba537fc80dd4d4348517aabc83e0 --- /dev/null +++ b/master-standalone/jsonpatch.json @@ -0,0 +1,14 @@ +{ + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/limitedprioritylevelconfiguration-flowcontrol-v1beta3.json b/master-standalone/limitedprioritylevelconfiguration-flowcontrol-v1beta3.json deleted file mode 100644 index dec5fcbaa354fbe8f0099f4fcec9af093cc7d6be..0000000000000000000000000000000000000000 --- a/master-standalone/limitedprioritylevelconfiguration-flowcontrol-v1beta3.json +++ /dev/null @@ -1,88 +0,0 @@ -{ - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", - "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "limitResponse": { - "description": "LimitResponse defines how to handle requests that can not be executed right now.", - "properties": { - "queuing": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/limitedprioritylevelconfiguration.json b/master-standalone/limitedprioritylevelconfiguration.json index dec5fcbaa354fbe8f0099f4fcec9af093cc7d6be..ac8fe1cb61ce84e2f8a188bdbac508084387871a 100644 --- a/master-standalone/limitedprioritylevelconfiguration.json +++ b/master-standalone/limitedprioritylevelconfiguration.json @@ -75,7 +75,7 @@ ] }, "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", + "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)", "format": "int32", "type": [ "integer", diff --git a/master-standalone/limitresponse-flowcontrol-v1beta3.json b/master-standalone/limitresponse-flowcontrol-v1beta3.json deleted file mode 100644 index 0cdaf27d5cb2040930de7b0d6725dbe29d8ab60e..0000000000000000000000000000000000000000 --- a/master-standalone/limitresponse-flowcontrol-v1beta3.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "description": "LimitResponse defines how to handle requests that can not be executed right now.", - "properties": { - "queuing": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "type" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/localvolumesource-v1.json b/master-standalone/localvolumesource-v1.json index 7594a898ed0c6528c8eeac8508656cc060d229fa..49b86b0719c9f771c75abf57dfc1d2c054a2ea2b 100644 --- a/master-standalone/localvolumesource-v1.json +++ b/master-standalone/localvolumesource-v1.json @@ -1,5 +1,5 @@ { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/localvolumesource.json b/master-standalone/localvolumesource.json index 7594a898ed0c6528c8eeac8508656cc060d229fa..49b86b0719c9f771c75abf57dfc1d2c054a2ea2b 100644 --- a/master-standalone/localvolumesource.json +++ b/master-standalone/localvolumesource.json @@ -1,5 +1,5 @@ { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/metricspec-autoscaling-v2.json b/master-standalone/metricspec-autoscaling-v2.json index 410147f79931978a2ad7ce841bfa5215c3abd64f..d5bce9a73e93546be3fc1177e4d7ab462c1406ea 100644 --- a/master-standalone/metricspec-autoscaling-v2.json +++ b/master-standalone/metricspec-autoscaling-v2.json @@ -608,7 +608,7 @@ ] }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": [ "string", "null" diff --git a/master-standalone/metricspec.json b/master-standalone/metricspec.json index 410147f79931978a2ad7ce841bfa5215c3abd64f..d5bce9a73e93546be3fc1177e4d7ab462c1406ea 100644 --- a/master-standalone/metricspec.json +++ b/master-standalone/metricspec.json @@ -608,7 +608,7 @@ ] }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": [ "string", "null" diff --git a/master-standalone/metricstatus-autoscaling-v2.json b/master-standalone/metricstatus-autoscaling-v2.json index 5fc7c4edf557ad2dcd9e499e97ebb0b043e5a7da..702803da4638913901ee9cea7ca1ed6ff256a37d 100644 --- a/master-standalone/metricstatus-autoscaling-v2.json +++ b/master-standalone/metricstatus-autoscaling-v2.json @@ -573,7 +573,7 @@ ] }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": [ "string", "null" diff --git a/master-standalone/metricstatus.json b/master-standalone/metricstatus.json index 5fc7c4edf557ad2dcd9e499e97ebb0b043e5a7da..702803da4638913901ee9cea7ca1ed6ff256a37d 100644 --- a/master-standalone/metricstatus.json +++ b/master-standalone/metricstatus.json @@ -573,7 +573,7 @@ ] }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": [ "string", "null" diff --git a/master-standalone/validatingadmissionpolicy-admissionregistration-v1alpha1.json b/master-standalone/mutatingadmissionpolicy-admissionregistration-v1alpha1.json similarity index 72% rename from master-standalone/validatingadmissionpolicy-admissionregistration-v1alpha1.json rename to master-standalone/mutatingadmissionpolicy-admissionregistration-v1alpha1.json index 2509c8a70f44f4c642aab44cf8aa6d569e4f3ea7..4eac2f99e0a9fe1803b54c9fed4758984f5cc76c 100644 --- a/master-standalone/validatingadmissionpolicy-admissionregistration-v1alpha1.json +++ b/master-standalone/mutatingadmissionpolicy-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.", + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -18,7 +18,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicy" + "MutatingAdmissionPolicy" ] }, "metadata": { @@ -272,46 +272,17 @@ ] }, "spec": { - "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", "properties": { - "auditAnnotations": { - "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", - "items": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", - "type": "string" - } - }, - "required": [ - "key", - "valueExpression" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, "failurePolicy": { - "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", "type": [ "string", "null" ] }, "matchConditions": { - "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", "items": { "properties": { "expression": { @@ -682,6 +653,62 @@ ], "x-kubernetes-map-type": "atomic" }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": "string" + } + }, + "required": [ + "patchType" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, "paramKind": { "description": "ParamKind is a tuple of Group Kind and Version.", "properties": { @@ -706,53 +733,15 @@ ], "x-kubernetes-map-type": "atomic" }, - "validations": { - "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", - "items": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": [ - "string", - "null" - ] - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "expression" - ], - "type": [ - "object", - "null" - ] - }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", "type": [ - "array", + "string", "null" - ], - "x-kubernetes-list-type": "atomic" + ] }, "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", "items": { "description": "Variable is the definition of a variable that is used for composition.", "properties": { @@ -778,123 +767,7 @@ "array", "null" ], - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": [ - "object", - "null" - ] - }, - "status": { - "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.", - "properties": { - "conditions": { - "description": "The conditions represent the latest available observations of a policy's current state.", - "items": { - "description": "Condition contains details for one aspect of the current state of this API Resource.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": "string" - }, - "message": { - "description": "message is a human readable message indicating details about the transition. This may be an empty string.", - "type": "string" - }, - "observedGeneration": { - "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "reason": { - "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", - "type": "string" - }, - "status": { - "description": "status of the condition, one of True, False, Unknown.", - "type": "string" - }, - "type": { - "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", - "type": "string" - } - }, - "required": [ - "type", - "status", - "lastTransitionTime", - "reason", - "message" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "The generation observed by the controller.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "typeChecking": { - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "description": "ExpressionWarning is a warning information that targets a specific expression.", - "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": "string" - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", - "type": "string" - } - }, - "required": [ - "fieldRef", - "warning" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "type": [ - "object", - "null" - ] + "x-kubernetes-list-type": "atomic" } }, "type": [ @@ -907,7 +780,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicy", + "kind": "MutatingAdmissionPolicy", "version": "v1alpha1" } ], diff --git a/master-standalone/mutatingadmissionpolicy.json b/master-standalone/mutatingadmissionpolicy.json new file mode 100644 index 0000000000000000000000000000000000000000..0550d223a07b108c972b5e7af0ef663417e55428 --- /dev/null +++ b/master-standalone/mutatingadmissionpolicy.json @@ -0,0 +1,785 @@ +{ + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicy" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "spec": { + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", + "properties": { + "failurePolicy": { + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "type": [ + "string", + "null" + ] + }, + "matchConditions": { + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "items": { + "properties": { + "expression": { + "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.", + "type": "string" + }, + "name": { + "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "matchConstraints": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", + "type": [ + "string", + "null" + ] + }, + "namespaceSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "objectSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": "string" + } + }, + "required": [ + "patchType" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "paramKind": { + "description": "ParamKind is a tuple of Group Kind and Version.", + "properties": { + "apiVersion": { + "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is the API kind the resources belong to. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": [ + "string", + "null" + ] + }, + "variables": { + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", + "items": { + "description": "Variable is the definition of a variable that is used for composition.", + "properties": { + "expression": { + "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", + "type": "string" + }, + "name": { + "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + } + }, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicy", + "version": "v1alpha1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/validatingadmissionpolicybinding-admissionregistration-v1alpha1.json b/master-standalone/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json similarity index 91% rename from master-standalone/validatingadmissionpolicybinding-admissionregistration-v1alpha1.json rename to master-standalone/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json index d890bde9f44e489dedc1982c79a91583c423298b..92c3116ea45a513bab4309c406979609b0f5741b 100644 --- a/master-standalone/validatingadmissionpolicybinding-admissionregistration-v1alpha1.json +++ b/master-standalone/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -18,7 +18,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyBinding" + "MutatingAdmissionPolicyBinding" ] }, "metadata": { @@ -272,7 +272,7 @@ ] }, "spec": { - "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", "properties": { "matchResources": { "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", @@ -711,25 +711,11 @@ "x-kubernetes-map-type": "atomic" }, "policyName": { - "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", "type": [ "string", "null" ] - }, - "validationActions": { - "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" } }, "type": [ @@ -742,7 +728,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBinding", + "kind": "MutatingAdmissionPolicyBinding", "version": "v1alpha1" } ], diff --git a/master-standalone/mutatingadmissionpolicybinding.json b/master-standalone/mutatingadmissionpolicybinding.json new file mode 100644 index 0000000000000000000000000000000000000000..5152337763e851d71f761b84aeaaf31f1ad6ee53 --- /dev/null +++ b/master-standalone/mutatingadmissionpolicybinding.json @@ -0,0 +1,733 @@ +{ + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyBinding" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "spec": { + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", + "properties": { + "matchResources": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", + "type": [ + "string", + "null" + ] + }, + "namespaceSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "objectSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "paramRef": { + "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", + "properties": { + "name": { + "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", + "type": [ + "string", + "null" + ] + }, + "parameterNotFoundAction": { + "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", + "type": [ + "string", + "null" + ] + }, + "selector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "policyName": { + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + } + }, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyBinding", + "version": "v1alpha1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/validatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json b/master-standalone/mutatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json similarity index 91% rename from master-standalone/validatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json rename to master-standalone/mutatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json index 5583ff51af0b28e97a08636d05cdfe48888c0c11..6283669132718130be6c860d285d516df597884d 100644 --- a/master-standalone/validatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json +++ b/master-standalone/mutatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.", + "description": "MutatingAdmissionPolicyBindingList is a list of MutatingAdmissionPolicyBinding.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14,7 +14,7 @@ "items": { "description": "List of PolicyBinding.", "items": { - "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -33,7 +33,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyBinding" + "MutatingAdmissionPolicyBinding" ] }, "metadata": { @@ -287,7 +287,7 @@ ] }, "spec": { - "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", "properties": { "matchResources": { "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", @@ -726,25 +726,11 @@ "x-kubernetes-map-type": "atomic" }, "policyName": { - "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", "type": [ "string", "null" ] - }, - "validationActions": { - "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" } }, "type": [ @@ -760,7 +746,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBinding", + "kind": "MutatingAdmissionPolicyBinding", "version": "v1alpha1" } ] @@ -777,7 +763,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyBindingList" + "MutatingAdmissionPolicyBindingList" ] }, "metadata": { @@ -826,7 +812,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBindingList", + "kind": "MutatingAdmissionPolicyBindingList", "version": "v1alpha1" } ], diff --git a/master-standalone/mutatingadmissionpolicybindinglist.json b/master-standalone/mutatingadmissionpolicybindinglist.json new file mode 100644 index 0000000000000000000000000000000000000000..a98638f6ddcbb2e2da1aac6684e77187a5c36abe --- /dev/null +++ b/master-standalone/mutatingadmissionpolicybindinglist.json @@ -0,0 +1,814 @@ +{ + "description": "MutatingAdmissionPolicyBindingList is a list of MutatingAdmissionPolicyBinding.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "items": { + "description": "List of PolicyBinding.", + "items": { + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyBinding" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "spec": { + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", + "properties": { + "matchResources": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", + "type": [ + "string", + "null" + ] + }, + "namespaceSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "objectSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "paramRef": { + "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", + "properties": { + "name": { + "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", + "type": [ + "string", + "null" + ] + }, + "parameterNotFoundAction": { + "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", + "type": [ + "string", + "null" + ] + }, + "selector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "policyName": { + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyBinding", + "version": "v1alpha1" + } + ] + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyBindingList" + ] + }, + "metadata": { + "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", + "properties": { + "continue": { + "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", + "type": [ + "string", + "null" + ] + }, + "remainingItemCount": { + "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "resourceVersion": { + "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyBindingList", + "version": "v1alpha1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/validatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json b/master-standalone/mutatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json similarity index 88% rename from master-standalone/validatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json rename to master-standalone/mutatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json index 3f6d0b0a870a59d80670dc5f42a8155e84db7e37..d0fb8c97507845e2233f3b53dd627288ca045f85 100644 --- a/master-standalone/validatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json +++ b/master-standalone/mutatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", "properties": { "matchResources": { "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", @@ -438,25 +438,11 @@ "x-kubernetes-map-type": "atomic" }, "policyName": { - "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", "type": [ "string", "null" ] - }, - "validationActions": { - "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" } }, "type": "object", diff --git a/master-standalone/mutatingadmissionpolicybindingspec.json b/master-standalone/mutatingadmissionpolicybindingspec.json new file mode 100644 index 0000000000000000000000000000000000000000..d0fb8c97507845e2233f3b53dd627288ca045f85 --- /dev/null +++ b/master-standalone/mutatingadmissionpolicybindingspec.json @@ -0,0 +1,450 @@ +{ + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", + "properties": { + "matchResources": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", + "type": [ + "string", + "null" + ] + }, + "namespaceSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "objectSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "paramRef": { + "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", + "properties": { + "name": { + "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", + "type": [ + "string", + "null" + ] + }, + "parameterNotFoundAction": { + "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", + "type": [ + "string", + "null" + ] + }, + "selector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "policyName": { + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/validatingadmissionpolicylist-admissionregistration-v1alpha1.json b/master-standalone/mutatingadmissionpolicylist-admissionregistration-v1alpha1.json similarity index 74% rename from master-standalone/validatingadmissionpolicylist-admissionregistration-v1alpha1.json rename to master-standalone/mutatingadmissionpolicylist-admissionregistration-v1alpha1.json index c94bffc880326df9cb6c6f53b710c2271bdf2977..d9c8ce9529679439f6349fc8dd521ac80d2e50a2 100644 --- a/master-standalone/validatingadmissionpolicylist-admissionregistration-v1alpha1.json +++ b/master-standalone/mutatingadmissionpolicylist-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.", + "description": "MutatingAdmissionPolicyList is a list of MutatingAdmissionPolicy.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14,7 +14,7 @@ "items": { "description": "List of ValidatingAdmissionPolicy.", "items": { - "description": "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.", + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -33,7 +33,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicy" + "MutatingAdmissionPolicy" ] }, "metadata": { @@ -287,46 +287,17 @@ ] }, "spec": { - "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", "properties": { - "auditAnnotations": { - "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", - "items": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", - "type": "string" - } - }, - "required": [ - "key", - "valueExpression" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, "failurePolicy": { - "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", "type": [ "string", "null" ] }, "matchConditions": { - "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", "items": { "properties": { "expression": { @@ -697,6 +668,62 @@ ], "x-kubernetes-map-type": "atomic" }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": "string" + } + }, + "required": [ + "patchType" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, "paramKind": { "description": "ParamKind is a tuple of Group Kind and Version.", "properties": { @@ -721,53 +748,15 @@ ], "x-kubernetes-map-type": "atomic" }, - "validations": { - "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", - "items": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": [ - "string", - "null" - ] - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "expression" - ], - "type": [ - "object", - "null" - ] - }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", "type": [ - "array", + "string", "null" - ], - "x-kubernetes-list-type": "atomic" + ] }, "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", "items": { "description": "Variable is the definition of a variable that is used for composition.", "properties": { @@ -793,123 +782,7 @@ "array", "null" ], - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": [ - "object", - "null" - ] - }, - "status": { - "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.", - "properties": { - "conditions": { - "description": "The conditions represent the latest available observations of a policy's current state.", - "items": { - "description": "Condition contains details for one aspect of the current state of this API Resource.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": "string" - }, - "message": { - "description": "message is a human readable message indicating details about the transition. This may be an empty string.", - "type": "string" - }, - "observedGeneration": { - "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "reason": { - "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", - "type": "string" - }, - "status": { - "description": "status of the condition, one of True, False, Unknown.", - "type": "string" - }, - "type": { - "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", - "type": "string" - } - }, - "required": [ - "type", - "status", - "lastTransitionTime", - "reason", - "message" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "The generation observed by the controller.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "typeChecking": { - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "description": "ExpressionWarning is a warning information that targets a specific expression.", - "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": "string" - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", - "type": "string" - } - }, - "required": [ - "fieldRef", - "warning" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "type": [ - "object", - "null" - ] + "x-kubernetes-list-type": "atomic" } }, "type": [ @@ -925,7 +798,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicy", + "kind": "MutatingAdmissionPolicy", "version": "v1alpha1" } ] @@ -942,7 +815,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyList" + "MutatingAdmissionPolicyList" ] }, "metadata": { @@ -991,7 +864,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyList", + "kind": "MutatingAdmissionPolicyList", "version": "v1alpha1" } ], diff --git a/master-standalone/mutatingadmissionpolicylist.json b/master-standalone/mutatingadmissionpolicylist.json new file mode 100644 index 0000000000000000000000000000000000000000..ab49c299f04165f05150e55c23599ce9ddea0c9f --- /dev/null +++ b/master-standalone/mutatingadmissionpolicylist.json @@ -0,0 +1,866 @@ +{ + "description": "MutatingAdmissionPolicyList is a list of MutatingAdmissionPolicy.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "items": { + "description": "List of ValidatingAdmissionPolicy.", + "items": { + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicy" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "spec": { + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", + "properties": { + "failurePolicy": { + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "type": [ + "string", + "null" + ] + }, + "matchConditions": { + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "items": { + "properties": { + "expression": { + "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.", + "type": "string" + }, + "name": { + "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "matchConstraints": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", + "type": [ + "string", + "null" + ] + }, + "namespaceSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "objectSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": "string" + } + }, + "required": [ + "patchType" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "paramKind": { + "description": "ParamKind is a tuple of Group Kind and Version.", + "properties": { + "apiVersion": { + "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is the API kind the resources belong to. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": [ + "string", + "null" + ] + }, + "variables": { + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", + "items": { + "description": "Variable is the definition of a variable that is used for composition.", + "properties": { + "expression": { + "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", + "type": "string" + }, + "name": { + "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicy", + "version": "v1alpha1" + } + ] + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyList" + ] + }, + "metadata": { + "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", + "properties": { + "continue": { + "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", + "type": [ + "string", + "null" + ] + }, + "remainingItemCount": { + "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "resourceVersion": { + "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyList", + "version": "v1alpha1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/validatingadmissionpolicyspec-admissionregistration-v1alpha1.json b/master-standalone/mutatingadmissionpolicyspec-admissionregistration-v1alpha1.json similarity index 68% rename from master-standalone/validatingadmissionpolicyspec-admissionregistration-v1alpha1.json rename to master-standalone/mutatingadmissionpolicyspec-admissionregistration-v1alpha1.json index 78587cc046a3e46be2608dec5442775172b1c0e5..91238b5caf52aa68ed5983c12492950e8e7dd9bb 100644 --- a/master-standalone/validatingadmissionpolicyspec-admissionregistration-v1alpha1.json +++ b/master-standalone/mutatingadmissionpolicyspec-admissionregistration-v1alpha1.json @@ -1,44 +1,15 @@ { - "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", "properties": { - "auditAnnotations": { - "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", - "items": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", - "type": "string" - } - }, - "required": [ - "key", - "valueExpression" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, "failurePolicy": { - "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", "type": [ "string", "null" ] }, "matchConditions": { - "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", "items": { "properties": { "expression": { @@ -409,6 +380,62 @@ ], "x-kubernetes-map-type": "atomic" }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": "string" + } + }, + "required": [ + "patchType" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, "paramKind": { "description": "ParamKind is a tuple of Group Kind and Version.", "properties": { @@ -433,53 +460,15 @@ ], "x-kubernetes-map-type": "atomic" }, - "validations": { - "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", - "items": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": [ - "string", - "null" - ] - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "expression" - ], - "type": [ - "object", - "null" - ] - }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", "type": [ - "array", + "string", "null" - ], - "x-kubernetes-list-type": "atomic" + ] }, "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", "items": { "description": "Variable is the definition of a variable that is used for composition.", "properties": { @@ -505,12 +494,7 @@ "array", "null" ], - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" + "x-kubernetes-list-type": "atomic" } }, "type": "object", diff --git a/master-standalone/mutatingadmissionpolicyspec.json b/master-standalone/mutatingadmissionpolicyspec.json new file mode 100644 index 0000000000000000000000000000000000000000..91238b5caf52aa68ed5983c12492950e8e7dd9bb --- /dev/null +++ b/master-standalone/mutatingadmissionpolicyspec.json @@ -0,0 +1,502 @@ +{ + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", + "properties": { + "failurePolicy": { + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "type": [ + "string", + "null" + ] + }, + "matchConditions": { + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "items": { + "properties": { + "expression": { + "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.", + "type": "string" + }, + "name": { + "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "matchConstraints": { + "description": "MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "properties": { + "excludeResourceRules": { + "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchPolicy": { + "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", + "type": [ + "string", + "null" + ] + }, + "namespaceSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "objectSelector": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchLabels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "resourceRules": { + "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.", + "items": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", + "properties": { + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": "string" + } + }, + "required": [ + "patchType" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "paramKind": { + "description": "ParamKind is a tuple of Group Kind and Version.", + "properties": { + "apiVersion": { + "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is the API kind the resources belong to. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": [ + "string", + "null" + ] + }, + "variables": { + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", + "items": { + "description": "Variable is the definition of a variable that is used for composition.", + "properties": { + "expression": { + "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", + "type": "string" + }, + "name": { + "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/mutation-admissionregistration-v1alpha1.json b/master-standalone/mutation-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..aef09948103a2c71d367767ca96ac2075d33a256 --- /dev/null +++ b/master-standalone/mutation-admissionregistration-v1alpha1.json @@ -0,0 +1,49 @@ +{ + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "patchType" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/mutation.json b/master-standalone/mutation.json new file mode 100644 index 0000000000000000000000000000000000000000..aef09948103a2c71d367767ca96ac2075d33a256 --- /dev/null +++ b/master-standalone/mutation.json @@ -0,0 +1,49 @@ +{ + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "jsonPatch": { + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "patchType" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/nonresourcepolicyrule-flowcontrol-v1beta3.json b/master-standalone/nonresourcepolicyrule-flowcontrol-v1beta3.json deleted file mode 100644 index ca6d9120033411e377badab96c0a0ac965eb86cb..0000000000000000000000000000000000000000 --- a/master-standalone/nonresourcepolicyrule-flowcontrol-v1beta3.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", - "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "nonResourceURLs" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/opaquedeviceconfiguration-resource-v1beta1.json b/master-standalone/opaquedeviceconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..706dd6db94f0b146dffb2caeae76d0b432c0630e --- /dev/null +++ b/master-standalone/opaquedeviceconfiguration-resource-v1beta1.json @@ -0,0 +1,25 @@ +{ + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": [ + "string", + "null" + ] + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": [ + "object", + "null" + ] + } + }, + "required": [ + "driver", + "parameters" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/persistentvolume-v1.json b/master-standalone/persistentvolume-v1.json index a00929709dc34875c5563f4541a4e249a2867297..db13279c8efea854a439679849e1e79668bbb1e6 100644 --- a/master-standalone/persistentvolume-v1.json +++ b/master-standalone/persistentvolume-v1.json @@ -622,7 +622,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1142,7 +1142,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/persistentvolume.json b/master-standalone/persistentvolume.json index 0217c7d183ee8fd41ec4275147ddb9f266b4cb89..d73ed3120a0cfde3150fa52bb51bb14aff6b7f39 100644 --- a/master-standalone/persistentvolume.json +++ b/master-standalone/persistentvolume.json @@ -619,7 +619,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1139,7 +1139,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/persistentvolumelist-v1.json b/master-standalone/persistentvolumelist-v1.json index 00443bb14b90b3a3add0d2d50b02a0e507cb2459..c975a60ac06f8d3d39a52912257417bfaaac8750 100644 --- a/master-standalone/persistentvolumelist-v1.json +++ b/master-standalone/persistentvolumelist-v1.json @@ -637,7 +637,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1157,7 +1157,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/persistentvolumelist.json b/master-standalone/persistentvolumelist.json index 04acf5e9b8421ba252e31b0da5adb7c9034077dd..f30606c234d818e078da1f93a3558ffc0ee8e4d7 100644 --- a/master-standalone/persistentvolumelist.json +++ b/master-standalone/persistentvolumelist.json @@ -631,7 +631,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1151,7 +1151,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/persistentvolumespec-v1.json b/master-standalone/persistentvolumespec-v1.json index f4a47632f85c0ca612556061b05a1a9748c2ea52..8ab880743013dec20f801895b649f28dcfba97ae 100644 --- a/master-standalone/persistentvolumespec-v1.json +++ b/master-standalone/persistentvolumespec-v1.json @@ -349,7 +349,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -869,7 +869,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/persistentvolumespec.json b/master-standalone/persistentvolumespec.json index f4a47632f85c0ca612556061b05a1a9748c2ea52..8ab880743013dec20f801895b649f28dcfba97ae 100644 --- a/master-standalone/persistentvolumespec.json +++ b/master-standalone/persistentvolumespec.json @@ -349,7 +349,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -869,7 +869,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/pod-v1.json b/master-standalone/pod-v1.json index f657a6a71c6f2875716b284c1dfe9e3b8589c181..a36f6a975fc5cf0c831b8dca9be749bb5b76862f 100644 --- a/master-standalone/pod-v1.json +++ b/master-standalone/pod-v1.json @@ -10186,7 +10186,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -10736,7 +10736,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -11319,7 +11319,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { diff --git a/master-standalone/pod.json b/master-standalone/pod.json index e9016187a4028a7557d26ffc2271a88bd0971fbe..f7767322cab88928fe178aab714b935ed475e83b 100644 --- a/master-standalone/pod.json +++ b/master-standalone/pod.json @@ -10183,7 +10183,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -10733,7 +10733,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -11316,7 +11316,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { diff --git a/master-standalone/podlist-v1.json b/master-standalone/podlist-v1.json index fb425c1673343a3313a3b07b2c494326d49482f8..df4fbe472d6751934ea68f9a68fe7796b33ca75c 100644 --- a/master-standalone/podlist-v1.json +++ b/master-standalone/podlist-v1.json @@ -10201,7 +10201,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -10751,7 +10751,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -11334,7 +11334,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { diff --git a/master-standalone/podlist.json b/master-standalone/podlist.json index ce17e87f47204e0cd6ac20c3affbdb7ed1f2e2b0..d4d81986117e2e83907f7eb920f8e832e2e4c794 100644 --- a/master-standalone/podlist.json +++ b/master-standalone/podlist.json @@ -10195,7 +10195,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -10745,7 +10745,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -11328,7 +11328,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { diff --git a/master-standalone/podstatus-v1.json b/master-standalone/podstatus-v1.json index 43229ed742fae2d1a757894b22d5cbd7cff778c9..2e8c195cfbd95a95f205e6adbf79e7cb47866c44 100644 --- a/master-standalone/podstatus-v1.json +++ b/master-standalone/podstatus-v1.json @@ -66,7 +66,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -616,7 +616,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -1199,7 +1199,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { diff --git a/master-standalone/podstatus.json b/master-standalone/podstatus.json index 43229ed742fae2d1a757894b22d5cbd7cff778c9..2e8c195cfbd95a95f205e6adbf79e7cb47866c44 100644 --- a/master-standalone/podstatus.json +++ b/master-standalone/podstatus.json @@ -66,7 +66,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -616,7 +616,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { @@ -1199,7 +1199,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "description": "ContainerStatus contains details for the current status of this container.", "properties": { diff --git a/master-standalone/policyruleswithsubjects-flowcontrol-v1beta3.json b/master-standalone/policyruleswithsubjects-flowcontrol-v1beta3.json deleted file mode 100644 index f5748ba12556dad83a8e4eb2d027da4ce7495ab7..0000000000000000000000000000000000000000 --- a/master-standalone/policyruleswithsubjects-flowcontrol-v1beta3.json +++ /dev/null @@ -1,216 +0,0 @@ -{ - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", - "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", - "items": { - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", - "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "nonResourceURLs" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", - "items": { - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", - "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": [ - "boolean", - "null" - ] - }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "apiGroups", - "resources" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", - "items": { - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", - "properties": { - "group": { - "description": "GroupSubject holds detailed information for group-kind subject.", - "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ] - }, - "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": "string" - }, - "serviceAccount": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", - "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", - "type": "string" - }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": "string" - } - }, - "required": [ - "namespace", - "name" - ], - "type": [ - "object", - "null" - ] - }, - "user": { - "description": "UserSubject holds detailed information for user-kind subject.", - "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ] - } - }, - "required": [ - "kind" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } - } - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "subjects" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/prioritylevelconfiguration.json b/master-standalone/prioritylevelconfiguration.json index 096b21035ace54cc4b2ce32d8061f88743f184a2..f384e5f0929b4c7a0c8539188dc312199a5d7f39 100644 --- a/master-standalone/prioritylevelconfiguration.json +++ b/master-standalone/prioritylevelconfiguration.json @@ -373,7 +373,7 @@ ] }, "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", + "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)", "format": "int32", "type": [ "integer", @@ -481,7 +481,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "PriorityLevelConfiguration", - "version": "v1beta3" + "version": "v1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/prioritylevelconfigurationcondition-flowcontrol-v1beta3.json b/master-standalone/prioritylevelconfigurationcondition-flowcontrol-v1beta3.json deleted file mode 100644 index 0536b9ba1f87e81afe5b6a141f06c12b18a0bf65..0000000000000000000000000000000000000000 --- a/master-standalone/prioritylevelconfigurationcondition-flowcontrol-v1beta3.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/prioritylevelconfigurationlist-flowcontrol-v1beta3.json b/master-standalone/prioritylevelconfigurationlist-flowcontrol-v1beta3.json deleted file mode 100644 index e13324a227aa156c30de146fd35c9f7af83e1f11..0000000000000000000000000000000000000000 --- a/master-standalone/prioritylevelconfigurationlist-flowcontrol-v1beta3.json +++ /dev/null @@ -1,575 +0,0 @@ -{ - "description": "PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" - ] - }, - "items": { - "description": "`items` is a list of request-priorities.", - "items": { - "description": "PriorityLevelConfiguration represents the configuration of a priority level.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "PriorityLevelConfiguration" - ] - }, - "metadata": { - "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", - "properties": { - "annotations": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", - "type": [ - "object", - "null" - ] - }, - "creationTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "deletionGracePeriodSeconds": { - "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "deletionTimestamp": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "finalizers": { - "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set", - "x-kubernetes-patch-strategy": "merge" - }, - "generateName": { - "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", - "type": [ - "string", - "null" - ] - }, - "generation": { - "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "labels": { - "additionalProperties": { - "type": [ - "string", - "null" - ] - }, - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", - "type": [ - "object", - "null" - ] - }, - "managedFields": { - "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", - "items": { - "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", - "type": [ - "string", - "null" - ] - }, - "fieldsType": { - "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", - "type": [ - "string", - "null" - ] - }, - "fieldsV1": { - "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", - "type": [ - "object", - "null" - ] - }, - "manager": { - "description": "Manager is an identifier of the workflow managing these fields.", - "type": [ - "string", - "null" - ] - }, - "operation": { - "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", - "type": [ - "string", - "null" - ] - }, - "subresource": { - "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", - "type": [ - "string", - "null" - ] - }, - "time": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "name": { - "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": [ - "string", - "null" - ] - }, - "namespace": { - "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", - "type": [ - "string", - "null" - ] - }, - "ownerReferences": { - "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", - "items": { - "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", - "properties": { - "apiVersion": { - "description": "API version of the referent.", - "type": "string" - }, - "blockOwnerDeletion": { - "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", - "type": [ - "boolean", - "null" - ] - }, - "controller": { - "description": "If true, this reference points to the managing controller.", - "type": [ - "boolean", - "null" - ] - }, - "kind": { - "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "name": { - "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", - "type": "string" - }, - "uid": { - "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": "string" - } - }, - "required": [ - "apiVersion", - "kind", - "name", - "uid" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-map-type": "atomic" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "uid" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "uid", - "x-kubernetes-patch-strategy": "merge" - }, - "resourceVersion": { - "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": [ - "string", - "null" - ] - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": [ - "string", - "null" - ] - }, - "uid": { - "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "spec": { - "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", - "properties": { - "exempt": { - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", - "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "limited": { - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", - "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "limitResponse": { - "description": "LimitResponse defines how to handle requests that can not be executed right now.", - "properties": { - "queuing": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": { - "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "exempt": "Exempt", - "limited": "Limited" - } - } - ] - }, - "status": { - "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", - "properties": { - "conditions": { - "description": "`conditions` is the current state of \"request-priority\".", - "items": { - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": [ - "object", - "null" - ] - } - }, - "type": [ - "object", - "null" - ], - "x-kubernetes-group-version-kind": [ - { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfiguration", - "version": "v1beta3" - } - ] - }, - "type": [ - "array", - "null" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "PriorityLevelConfigurationList" - ] - }, - "metadata": { - "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", - "properties": { - "continue": { - "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", - "type": [ - "string", - "null" - ] - }, - "remainingItemCount": { - "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "resourceVersion": { - "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": [ - "string", - "null" - ] - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - } - }, - "required": [ - "items" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfigurationList", - "version": "v1beta3" - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/prioritylevelconfigurationlist.json b/master-standalone/prioritylevelconfigurationlist.json index 53ca8209296c157aa9f70ad09e4df5629f2b3f3e..9e59264322ef9b619a435aea73564c466c974791 100644 --- a/master-standalone/prioritylevelconfigurationlist.json +++ b/master-standalone/prioritylevelconfigurationlist.json @@ -385,7 +385,7 @@ ] }, "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", + "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)", "format": "int32", "type": [ "integer", @@ -496,7 +496,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "PriorityLevelConfiguration", - "version": "v1beta3" + "version": "v1" } ] }, @@ -562,7 +562,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "PriorityLevelConfigurationList", - "version": "v1beta3" + "version": "v1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/prioritylevelconfigurationreference-flowcontrol-v1beta3.json b/master-standalone/prioritylevelconfigurationreference-flowcontrol-v1beta3.json deleted file mode 100644 index 009271c11f11a90f54a5a8e6b420cec6286da4d9..0000000000000000000000000000000000000000 --- a/master-standalone/prioritylevelconfigurationreference-flowcontrol-v1beta3.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", - "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "name" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/prioritylevelconfigurationspec-flowcontrol-v1beta3.json b/master-standalone/prioritylevelconfigurationspec-flowcontrol-v1beta3.json deleted file mode 100644 index 3d1c3558119c9a68afd35192d1f7b9910a9a6ef5..0000000000000000000000000000000000000000 --- a/master-standalone/prioritylevelconfigurationspec-flowcontrol-v1beta3.json +++ /dev/null @@ -1,141 +0,0 @@ -{ - "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", - "properties": { - "exempt": { - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", - "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "limited": { - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", - "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "limitResponse": { - "description": "LimitResponse defines how to handle requests that can not be executed right now.", - "properties": { - "queuing": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": { - "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "type" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "exempt": "Exempt", - "limited": "Limited" - } - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/prioritylevelconfigurationspec.json b/master-standalone/prioritylevelconfigurationspec.json index 3d1c3558119c9a68afd35192d1f7b9910a9a6ef5..ce223d367832c4dd44203d4b14b184e134525a85 100644 --- a/master-standalone/prioritylevelconfigurationspec.json +++ b/master-standalone/prioritylevelconfigurationspec.json @@ -103,7 +103,7 @@ ] }, "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", + "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)", "format": "int32", "type": [ "integer", diff --git a/master-standalone/prioritylevelconfigurationstatus-flowcontrol-v1beta3.json b/master-standalone/prioritylevelconfigurationstatus-flowcontrol-v1beta3.json deleted file mode 100644 index ea18e9ddbe6637e862827f36106fe9c46ecc4224..0000000000000000000000000000000000000000 --- a/master-standalone/prioritylevelconfigurationstatus-flowcontrol-v1beta3.json +++ /dev/null @@ -1,65 +0,0 @@ -{ - "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", - "properties": { - "conditions": { - "description": "`conditions` is the current state of \"request-priority\".", - "items": { - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/queuingconfiguration-flowcontrol-v1beta3.json b/master-standalone/queuingconfiguration-flowcontrol-v1beta3.json deleted file mode 100644 index a32f9fa0db3560a275f08d45fbe5604ea0ee691c..0000000000000000000000000000000000000000 --- a/master-standalone/queuingconfiguration-flowcontrol-v1beta3.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/resourceclaim-resource-v1beta1.json b/master-standalone/resourceclaim-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..88221a5a49189c6d6a1a24d5febf85cd476fef70 --- /dev/null +++ b/master-standalone/resourceclaim-resource-v1beta1.json @@ -0,0 +1,771 @@ +{ + "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaim" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "spec": { + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", + "properties": { + "devices": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "status": { + "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", + "properties": { + "allocation": { + "description": "AllocationResult contains attributes of an allocated resource.", + "properties": { + "devices": { + "description": "DeviceAllocationResult is the result of allocating devices.", + "properties": { + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" + } + }, + "required": [ + "source" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results lists all allocated devices.", + "items": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "nodeSelectorTerms" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "reservedFor": { + "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", + "items": { + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", + "properties": { + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name is the name of resource being referenced.", + "type": "string" + }, + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": "string" + }, + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": "string" + } + }, + "required": [ + "resource", + "name", + "uid" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + } + }, + "type": [ + "object", + "null" + ] + } + }, + "required": [ + "spec" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaim", + "version": "v1beta1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/resourceclaim.json b/master-standalone/resourceclaim.json index 45de94eba84d99404432d70086a3438e5735c747..daeb627919da80d87f6d71eed50e6fea161e58ad 100644 --- a/master-standalone/resourceclaim.json +++ b/master-standalone/resourceclaim.json @@ -761,7 +761,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaim", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/resourceclaimconsumerreference-resource-v1beta1.json b/master-standalone/resourceclaimconsumerreference-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..c7b403264ba65696555b8191da3d5be36cdc9f30 --- /dev/null +++ b/master-standalone/resourceclaimconsumerreference-resource-v1beta1.json @@ -0,0 +1,40 @@ +{ + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", + "properties": { + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name is the name of resource being referenced.", + "type": [ + "string", + "null" + ] + }, + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "resource", + "name", + "uid" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/resourceclaimlist-resource-v1beta1.json b/master-standalone/resourceclaimlist-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..9dd7856133c88828deafbc5622d81e1baeecf351 --- /dev/null +++ b/master-standalone/resourceclaimlist-resource-v1beta1.json @@ -0,0 +1,852 @@ +{ + "description": "ResourceClaimList is a collection of claims.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "items": { + "description": "Items is the list of resource claims.", + "items": { + "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaim" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "spec": { + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", + "properties": { + "devices": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + } + }, + "type": "object" + }, + "status": { + "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", + "properties": { + "allocation": { + "description": "AllocationResult contains attributes of an allocated resource.", + "properties": { + "devices": { + "description": "DeviceAllocationResult is the result of allocating devices.", + "properties": { + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" + } + }, + "required": [ + "source" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results lists all allocated devices.", + "items": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "nodeSelectorTerms" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "reservedFor": { + "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", + "items": { + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", + "properties": { + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name is the name of resource being referenced.", + "type": "string" + }, + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": "string" + }, + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": "string" + } + }, + "required": [ + "resource", + "name", + "uid" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + } + }, + "type": [ + "object", + "null" + ] + } + }, + "required": [ + "spec" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaim", + "version": "v1beta1" + } + ] + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaimList" + ] + }, + "metadata": { + "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", + "properties": { + "continue": { + "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", + "type": [ + "string", + "null" + ] + }, + "remainingItemCount": { + "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "resourceVersion": { + "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimList", + "version": "v1beta1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/resourceclaimlist.json b/master-standalone/resourceclaimlist.json index 97ae19dc91002cb6c0e57c02f28cc109fed3498f..6a5b2b0df2398f684dec6b458897685806ff9b9c 100644 --- a/master-standalone/resourceclaimlist.json +++ b/master-standalone/resourceclaimlist.json @@ -773,7 +773,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaim", - "version": "v1alpha3" + "version": "v1beta1" } ] }, @@ -839,7 +839,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimList", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/resourceclaimspec-resource-v1beta1.json b/master-standalone/resourceclaimspec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..99990947eec28153257b7d9ade420c721692c603 --- /dev/null +++ b/master-standalone/resourceclaimspec-resource-v1beta1.json @@ -0,0 +1,190 @@ +{ + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", + "properties": { + "devices": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/resourceclaimstatus-resource-v1beta1.json b/master-standalone/resourceclaimstatus-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..2d906344f4ddee98db57f28a7e2f46fc6ebd92b8 --- /dev/null +++ b/master-standalone/resourceclaimstatus-resource-v1beta1.json @@ -0,0 +1,290 @@ +{ + "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", + "properties": { + "allocation": { + "description": "AllocationResult contains attributes of an allocated resource.", + "properties": { + "devices": { + "description": "DeviceAllocationResult is the result of allocating devices.", + "properties": { + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" + } + }, + "required": [ + "source" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results lists all allocated devices.", + "items": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "nodeSelectorTerms" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "reservedFor": { + "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", + "items": { + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", + "properties": { + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name is the name of resource being referenced.", + "type": "string" + }, + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": "string" + }, + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": "string" + } + }, + "required": [ + "resource", + "name", + "uid" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/resourceclaimtemplate-resource-v1beta1.json b/master-standalone/resourceclaimtemplate-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..1077ccd15d10fb67a73675f990ef826abcc0b928 --- /dev/null +++ b/master-standalone/resourceclaimtemplate-resource-v1beta1.json @@ -0,0 +1,738 @@ +{ + "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaimTemplate" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "spec": { + "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", + "properties": { + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "spec": { + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", + "properties": { + "devices": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + } + }, + "type": "object" + } + }, + "required": [ + "spec" + ], + "type": [ + "object", + "null" + ] + } + }, + "required": [ + "spec" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplate", + "version": "v1beta1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/resourceclaimtemplate.json b/master-standalone/resourceclaimtemplate.json index cdb900d8d76016a2017d6aaac3b891b9a154f0fc..8b94f96f385957dc44f5e102b94c46576196d761 100644 --- a/master-standalone/resourceclaimtemplate.json +++ b/master-standalone/resourceclaimtemplate.json @@ -728,7 +728,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplate", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/resourceclaimtemplatelist-resource-v1beta1.json b/master-standalone/resourceclaimtemplatelist-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..8f8b2c67791debd786a30a52c0845e4afdacad99 --- /dev/null +++ b/master-standalone/resourceclaimtemplatelist-resource-v1beta1.json @@ -0,0 +1,819 @@ +{ + "description": "ResourceClaimTemplateList is a collection of claim templates.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "items": { + "description": "Items is the list of resource claim templates.", + "items": { + "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaimTemplate" + ] + }, + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "spec": { + "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", + "properties": { + "metadata": { + "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", + "properties": { + "annotations": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations", + "type": [ + "object", + "null" + ] + }, + "creationTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "deletionGracePeriodSeconds": { + "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deletionTimestamp": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + }, + "finalizers": { + "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "set", + "x-kubernetes-patch-strategy": "merge" + }, + "generateName": { + "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", + "type": [ + "string", + "null" + ] + }, + "generation": { + "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "labels": { + "additionalProperties": { + "type": [ + "string", + "null" + ] + }, + "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels", + "type": [ + "object", + "null" + ] + }, + "managedFields": { + "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", + "items": { + "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", + "type": [ + "string", + "null" + ] + }, + "fieldsType": { + "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", + "type": [ + "string", + "null" + ] + }, + "fieldsV1": { + "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:<name>', where <name> is the name of a field in a struct, or key in a map 'v:<value>', where <value> is the exact json formatted value of a list item 'i:<index>', where <index> is position of a item in a list 'k:<keys>', where <keys> is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in sigs.k8s.io/structured-merge-diff", + "type": [ + "object", + "null" + ] + }, + "manager": { + "description": "Manager is an identifier of the workflow managing these fields.", + "type": [ + "string", + "null" + ] + }, + "operation": { + "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", + "type": [ + "string", + "null" + ] + }, + "subresource": { + "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", + "type": [ + "string", + "null" + ] + }, + "time": { + "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", + "format": "date-time", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "name": { + "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": [ + "string", + "null" + ] + }, + "namespace": { + "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces", + "type": [ + "string", + "null" + ] + }, + "ownerReferences": { + "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", + "items": { + "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "blockOwnerDeletion": { + "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", + "type": [ + "boolean", + "null" + ] + }, + "controller": { + "description": "If true, this reference points to the managing controller.", + "type": [ + "boolean", + "null" + ] + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": "string" + } + }, + "required": [ + "apiVersion", + "kind", + "name", + "uid" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + }, + "resourceVersion": { + "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "spec": { + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", + "properties": { + "devices": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } + }, + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ] + } + }, + "type": "object" + } + }, + "required": [ + "spec" + ], + "type": "object" + } + }, + "required": [ + "spec" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplate", + "version": "v1beta1" + } + ] + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaimTemplateList" + ] + }, + "metadata": { + "description": "ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.", + "properties": { + "continue": { + "description": "continue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.", + "type": [ + "string", + "null" + ] + }, + "remainingItemCount": { + "description": "remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "resourceVersion": { + "description": "String that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": [ + "string", + "null" + ] + }, + "selfLink": { + "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplateList", + "version": "v1beta1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/resourceclaimtemplatelist.json b/master-standalone/resourceclaimtemplatelist.json index 123c70cd15e5041d4237eccb6e59c4448b91c5c4..cffc3082d68e164e60fdaf6e07c1350d590e99a5 100644 --- a/master-standalone/resourceclaimtemplatelist.json +++ b/master-standalone/resourceclaimtemplatelist.json @@ -740,7 +740,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplate", - "version": "v1alpha3" + "version": "v1beta1" } ] }, @@ -806,7 +806,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplateList", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/prioritylevelconfiguration-flowcontrol-v1beta3.json b/master-standalone/resourceclaimtemplatespec-resource-v1beta1.json similarity index 54% rename from master-standalone/prioritylevelconfiguration-flowcontrol-v1beta3.json rename to master-standalone/resourceclaimtemplatespec-resource-v1beta1.json index 0e987adbe770f7f51c2b6ba26b4881d2f57dc93a..c75ab7e94d667936f4b53a8763bbc389d6a49dfc 100644 --- a/master-standalone/prioritylevelconfiguration-flowcontrol-v1beta3.json +++ b/master-standalone/resourceclaimtemplatespec-resource-v1beta1.json @@ -1,26 +1,6 @@ { - "description": "PriorityLevelConfiguration represents the configuration of a priority level.", + "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "PriorityLevelConfiguration" - ] - }, "metadata": { "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", "properties": { @@ -272,205 +252,190 @@ ] }, "spec": { - "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", "properties": { - "exempt": { - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", - "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "limited": { - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", + "devices": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "limitResponse": { - "description": "LimitResponse defines how to handle requests that can not be executed right now.", - "properties": { - "queuing": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" + }, + "parameters": { + "description": "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)", + "type": "object" + } }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", + "required": [ + "driver", + "parameters" + ], + "type": [ + "object", + "null" + ] + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { "type": [ - "integer", + "string", "null" ] }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", - "type": "string" - } + "type": [ + "object", + "null" + ] }, - "required": [ - "type" - ], "type": [ - "object", + "array", "null" ], - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ] + "x-kubernetes-list-type": "atomic" }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - }, - "type": { - "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "exempt": "Exempt", - "limited": "Limited" - } - } - ] - }, - "status": { - "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", - "properties": { - "conditions": { - "description": "`conditions` is the current state of \"request-priority\".", - "items": { - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, "type": [ - "string", + "object", "null" ] }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": "string" + } + }, + "required": [ + "expression" + ], + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], "type": [ - "string", + "object", "null" ] }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } }, "type": [ - "array", + "object", "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" + ] } }, "type": [ @@ -479,13 +444,9 @@ ] } }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfiguration", - "version": "v1beta3" - } + "required": [ + "spec" ], + "type": "object", "$schema": "http://json-schema.org/schema#" } \ No newline at end of file diff --git a/master-standalone/resourcepolicyrule-flowcontrol-v1beta3.json b/master-standalone/resourcepolicyrule-flowcontrol-v1beta3.json deleted file mode 100644 index c50cd302c586dfea83755a3ac4b1f8258666e262..0000000000000000000000000000000000000000 --- a/master-standalone/resourcepolicyrule-flowcontrol-v1beta3.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", - "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": [ - "boolean", - "null" - ] - }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "apiGroups", - "resources" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/resourcepool-resource-v1beta1.json b/master-standalone/resourcepool-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..c85bd4c5ed0de40ec3f8ef20bb164fe800fa5b02 --- /dev/null +++ b/master-standalone/resourcepool-resource-v1beta1.json @@ -0,0 +1,35 @@ +{ + "description": "ResourcePool describes the pool that ResourceSlices belong to.", + "properties": { + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": [ + "integer", + "null" + ] + } + }, + "required": [ + "name", + "generation", + "resourceSliceCount" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/flowschema-flowcontrol-v1beta3.json b/master-standalone/resourceslice-resource-v1beta1.json similarity index 56% rename from master-standalone/flowschema-flowcontrol-v1beta3.json rename to master-standalone/resourceslice-resource-v1beta1.json index d1ca5e8623218940670d3e637b54e64f3cd16dd8..f72661f18072385e1d62e44f239ff0c766a7f30e 100644 --- a/master-standalone/flowschema-flowcontrol-v1beta3.json +++ b/master-standalone/resourceslice-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".", + "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,7 +8,7 @@ "null" ], "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" + "resource.k8s.io/v1beta1" ] }, "kind": { @@ -18,7 +18,7 @@ "null" ], "enum": [ - "FlowSchema" + "ResourceSlice" ] }, "metadata": { @@ -272,351 +272,298 @@ ] }, "spec": { - "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", + "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", "properties": { - "distinguisherMethod": { - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", - "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": "string" - } - }, - "required": [ - "type" - ], + "allNodes": { + "description": "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set.", "type": [ - "object", + "boolean", "null" ] }, - "matchingPrecedence": { - "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "priorityLevelConfiguration": { - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", - "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": "object" - }, - "rules": { - "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", + "devices": { + "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", "items": { - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", - "items": { - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", - "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "nonResourceURLs" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", - "items": { - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", - "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] + "basic": { + "description": "BasicDevice defines one device instance.", + "properties": { + "attributes": { + "additionalProperties": { + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", "type": [ - "boolean", + "object", "null" ] }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] }, - "required": [ - "verbs", - "apiGroups", - "resources" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", - "items": { - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", - "properties": { - "group": { - "description": "GroupSubject holds detailed information for group-kind subject.", + "capacity": { + "additionalProperties": { + "description": "DeviceCapacity describes a quantity associated with a device.", "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": "string" + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] } }, "required": [ - "name" + "value" ], "type": [ "object", "null" ] }, - "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": "string" - }, - "serviceAccount": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "driver": { + "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.", + "type": "string" + }, + "nodeName": { + "description": "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", + "key": { + "description": "The label key that the selector applies to.", "type": "string" }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" } }, "required": [ - "namespace", - "name" + "key", + "operator" ], "type": [ "object", "null" ] }, - "user": { - "description": "UserSubject holds detailed information for user-kind subject.", + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", + "key": { + "description": "The label key that the selector applies to.", "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" } }, "required": [ - "name" + "key", + "operator" ], "type": [ "object", "null" ] - } - }, - "required": [ - "kind" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } - } - ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "subjects" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "priorityLevelConfiguration" - ], - "type": [ - "object", - "null" - ] - }, - "status": { - "description": "FlowSchemaStatus represents the current state of a FlowSchema.", - "properties": { - "conditions": { - "description": "`conditions` is a list of the current states of FlowSchema.", - "items": { - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", + "object", "null" - ] + ], + "x-kubernetes-map-type": "atomic" }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] + "type": "array", + "x-kubernetes-list-type": "atomic" + } }, + "required": [ + "nodeSelectorTerms" + ], "type": [ - "array", + "object", "null" ], - "x-kubernetes-list-map-keys": [ - "type" + "x-kubernetes-map-type": "atomic" + }, + "pool": { + "description": "ResourcePool describes the pool that ResourceSlices belong to.", + "properties": { + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": "integer" + }, + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": "string" + }, + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "name", + "generation", + "resourceSliceCount" ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" + "type": "object" } }, + "required": [ + "driver", + "pool" + ], "type": [ "object", "null" ] } }, + "required": [ + "spec" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchema", - "version": "v1beta3" + "group": "resource.k8s.io", + "kind": "ResourceSlice", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/resourceslice.json b/master-standalone/resourceslice.json index 389c6e3ead559403c786591720719e08a77ab7d9..78cae472b13398f70fcefcb4eb900e35ff1d3003 100644 --- a/master-standalone/resourceslice.json +++ b/master-standalone/resourceslice.json @@ -333,19 +333,31 @@ }, "capacity": { "additionalProperties": { - "oneOf": [ - { - "type": [ - "string", - "null" - ] - }, - { - "type": [ - "number", - "null" + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } ] } + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" ] }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", @@ -548,7 +560,7 @@ { "group": "resource.k8s.io", "kind": "ResourceSlice", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/flowschemalist-flowcontrol-v1beta3.json b/master-standalone/resourceslicelist-resource-v1beta1.json similarity index 60% rename from master-standalone/flowschemalist-flowcontrol-v1beta3.json rename to master-standalone/resourceslicelist-resource-v1beta1.json index 549a90b36c2d6c313ba266bbdfc8b7642230b59d..3c8959215aea4a8007cc52cc7905fdfc8ee47e19 100644 --- a/master-standalone/flowschemalist-flowcontrol-v1beta3.json +++ b/master-standalone/resourceslicelist-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "FlowSchemaList is a list of FlowSchema objects.", + "description": "ResourceSliceList is a collection of ResourceSlices.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,13 +8,13 @@ "null" ], "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" + "resource.k8s.io/v1beta1" ] }, "items": { - "description": "`items` is a list of FlowSchemas.", + "description": "Items is the list of resource ResourceSlices.", "items": { - "description": "FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".", + "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -23,7 +23,7 @@ "null" ], "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" + "resource.k8s.io/v1beta1" ] }, "kind": { @@ -33,7 +33,7 @@ "null" ], "enum": [ - "FlowSchema" + "ResourceSlice" ] }, "metadata": { @@ -287,354 +287,298 @@ ] }, "spec": { - "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", + "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", "properties": { - "distinguisherMethod": { - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", - "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": "string" - } - }, - "required": [ - "type" - ], - "type": [ - "object", - "null" - ] - }, - "matchingPrecedence": { - "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", - "format": "int32", + "allNodes": { + "description": "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set.", "type": [ - "integer", + "boolean", "null" ] }, - "priorityLevelConfiguration": { - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", - "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": "object" - }, - "rules": { - "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", + "devices": { + "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", "items": { - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", - "items": { - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", - "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "nonResourceURLs" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", - "items": { - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", - "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] + "basic": { + "description": "BasicDevice defines one device instance.", + "properties": { + "attributes": { + "additionalProperties": { + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", "type": [ - "boolean", + "object", "null" ] }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": "array", - "x-kubernetes-list-type": "set" - } + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] }, - "required": [ - "verbs", - "apiGroups", - "resources" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", - "items": { - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", - "properties": { - "group": { - "description": "GroupSubject holds detailed information for group-kind subject.", + "capacity": { + "additionalProperties": { + "description": "DeviceCapacity describes a quantity associated with a device.", "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": "string" + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] } }, "required": [ - "name" + "value" ], "type": [ "object", "null" ] }, - "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": "string" - }, - "serviceAccount": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "driver": { + "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.", + "type": "string" + }, + "nodeName": { + "description": "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", + "key": { + "description": "The label key that the selector applies to.", "type": "string" }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" } }, "required": [ - "namespace", - "name" + "key", + "operator" ], "type": [ "object", "null" ] }, - "user": { - "description": "UserSubject holds detailed information for user-kind subject.", + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" } }, "required": [ - "name" + "key", + "operator" ], "type": [ "object", "null" ] - } - }, - "required": [ - "kind" - ], - "type": [ - "object", - "null" - ], - "x-kubernetes-unions": [ - { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } - } - ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "subjects" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "priorityLevelConfiguration" - ], - "type": [ - "object", - "null" - ] - }, - "status": { - "description": "FlowSchemaStatus represents the current state of a FlowSchema.", - "properties": { - "conditions": { - "description": "`conditions` is a list of the current states of FlowSchema.", - "items": { - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", "type": [ - "string", - "null" - ] - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", + "object", "null" - ] + ], + "x-kubernetes-map-type": "atomic" }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] + "type": "array", + "x-kubernetes-list-type": "atomic" + } }, + "required": [ + "nodeSelectorTerms" + ], "type": [ - "array", + "object", "null" ], - "x-kubernetes-list-map-keys": [ - "type" + "x-kubernetes-map-type": "atomic" + }, + "pool": { + "description": "ResourcePool describes the pool that ResourceSlices belong to.", + "properties": { + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": "integer" + }, + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": "string" + }, + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "name", + "generation", + "resourceSliceCount" ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" + "type": "object" } }, - "type": [ - "object", - "null" - ] + "required": [ + "driver", + "pool" + ], + "type": "object" } }, + "required": [ + "spec" + ], "type": [ "object", "null" ], "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchema", - "version": "v1beta3" + "group": "resource.k8s.io", + "kind": "ResourceSlice", + "version": "v1beta1" } ] }, @@ -650,7 +594,7 @@ "null" ], "enum": [ - "FlowSchemaList" + "ResourceSliceList" ] }, "metadata": { @@ -698,9 +642,9 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchemaList", - "version": "v1beta3" + "group": "resource.k8s.io", + "kind": "ResourceSliceList", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/resourceslicelist.json b/master-standalone/resourceslicelist.json index 794cb944cd740c2a3736e3222a466a20c9ecee19..b48cb93ea402d9af979b845036443f87092f467c 100644 --- a/master-standalone/resourceslicelist.json +++ b/master-standalone/resourceslicelist.json @@ -345,19 +345,31 @@ }, "capacity": { "additionalProperties": { - "oneOf": [ - { - "type": [ - "string", - "null" - ] - }, - { - "type": [ - "number", - "null" + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } ] } + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" ] }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", @@ -560,7 +572,7 @@ { "group": "resource.k8s.io", "kind": "ResourceSlice", - "version": "v1alpha3" + "version": "v1beta1" } ] }, @@ -626,7 +638,7 @@ { "group": "resource.k8s.io", "kind": "ResourceSliceList", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master-standalone/resourceslicespec-resource-v1beta1.json b/master-standalone/resourceslicespec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..6c3e86fef1885cf0b569f60cd47a1acf3f1e4fea --- /dev/null +++ b/master-standalone/resourceslicespec-resource-v1beta1.json @@ -0,0 +1,287 @@ +{ + "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", + "properties": { + "allNodes": { + "description": "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set.", + "type": [ + "boolean", + "null" + ] + }, + "devices": { + "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", + "items": { + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", + "properties": { + "basic": { + "description": "BasicDevice defines one device instance.", + "properties": { + "attributes": { + "additionalProperties": { + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + }, + "capacity": { + "additionalProperties": { + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } + ] + } + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" + ] + }, + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + } + }, + "type": [ + "object", + "null" + ] + }, + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "driver": { + "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "nodeName": { + "description": "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "nodeSelector": { + "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", + "properties": { + "nodeSelectorTerms": { + "description": "Required. A list of node selector terms. The terms are ORed.", + "items": { + "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", + "properties": { + "matchExpressions": { + "description": "A list of node selector requirements by node's labels.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "matchFields": { + "description": "A list of node selector requirements by node's fields.", + "items": { + "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "The label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", + "type": "string" + }, + "values": { + "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "key", + "operator" + ], + "type": [ + "object", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "nodeSelectorTerms" + ], + "type": [ + "object", + "null" + ], + "x-kubernetes-map-type": "atomic" + }, + "pool": { + "description": "ResourcePool describes the pool that ResourceSlices belong to.", + "properties": { + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": "integer" + }, + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": "string" + }, + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": "integer" + } + }, + "required": [ + "name", + "generation", + "resourceSliceCount" + ], + "type": [ + "object", + "null" + ] + } + }, + "required": [ + "driver", + "pool" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master-standalone/resourceslicespec.json b/master-standalone/resourceslicespec.json index 4770447cd5b0901347ab73c3e517d7b271ed7cc6..6c3e86fef1885cf0b569f60cd47a1acf3f1e4fea 100644 --- a/master-standalone/resourceslicespec.json +++ b/master-standalone/resourceslicespec.json @@ -63,19 +63,31 @@ }, "capacity": { "additionalProperties": { - "oneOf": [ - { - "type": [ - "string", - "null" - ] - }, - { - "type": [ - "number", - "null" + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "oneOf": [ + { + "type": [ + "string", + "null" + ] + }, + { + "type": [ + "number", + "null" + ] + } ] } + }, + "required": [ + "value" + ], + "type": [ + "object", + "null" ] }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", diff --git a/master-standalone/selfsubjectreviewstatus-authentication-v1alpha1.json b/master-standalone/selfsubjectreviewstatus-authentication-v1alpha1.json deleted file mode 100644 index ed01de78df3978fedfe762ab5e8a024a8878b140..0000000000000000000000000000000000000000 --- a/master-standalone/selfsubjectreviewstatus-authentication-v1alpha1.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", - "properties": { - "userInfo": { - "description": "UserInfo holds the information about the user needed to implement the user.Info interface.", - "properties": { - "extra": { - "additionalProperties": { - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ] - }, - "description": "Any additional information provided by the authenticator.", - "type": [ - "object", - "null" - ] - }, - "groups": { - "description": "The names of groups this user is a part of.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "uid": { - "description": "A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.", - "type": [ - "string", - "null" - ] - }, - "username": { - "description": "The name that uniquely identifies this user among all active users.", - "type": [ - "string", - "null" - ] - } - }, - "type": [ - "object", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/serviceaccountsubject-flowcontrol-v1beta3.json b/master-standalone/serviceaccountsubject-flowcontrol-v1beta3.json deleted file mode 100644 index 6548d56e8ca2b50536413574d36c0e31ae6b6b20..0000000000000000000000000000000000000000 --- a/master-standalone/serviceaccountsubject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", - "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", - "type": [ - "string", - "null" - ] - }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "namespace", - "name" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/subject-flowcontrol-v1beta3.json b/master-standalone/subject-flowcontrol-v1beta3.json deleted file mode 100644 index c07af09479c7af8ae904489566eac71a04d09af1..0000000000000000000000000000000000000000 --- a/master-standalone/subject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", - "properties": { - "group": { - "description": "GroupSubject holds detailed information for group-kind subject.", - "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ] - }, - "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": [ - "string", - "null" - ] - }, - "serviceAccount": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", - "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", - "type": "string" - }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": "string" - } - }, - "required": [ - "namespace", - "name" - ], - "type": [ - "object", - "null" - ] - }, - "user": { - "description": "UserSubject holds detailed information for user-kind subject.", - "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", - "type": "string" - } - }, - "required": [ - "name" - ], - "type": [ - "object", - "null" - ] - } - }, - "required": [ - "kind" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/typechecking-admissionregistration-v1alpha1.json b/master-standalone/typechecking-admissionregistration-v1alpha1.json deleted file mode 100644 index 1b9478c6fd1912a6f36a5b12179fed1881093f12..0000000000000000000000000000000000000000 --- a/master-standalone/typechecking-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "description": "ExpressionWarning is a warning information that targets a specific expression.", - "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": "string" - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", - "type": "string" - } - }, - "required": [ - "fieldRef", - "warning" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/usersubject-flowcontrol-v1beta3.json b/master-standalone/usersubject-flowcontrol-v1beta3.json deleted file mode 100644 index 68c027e1658d13f83854f8584cf6b43fe21f6371..0000000000000000000000000000000000000000 --- a/master-standalone/usersubject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "UserSubject holds detailed information for user-kind subject.", - "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "name" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/validatingadmissionpolicystatus-admissionregistration-v1alpha1.json b/master-standalone/validatingadmissionpolicystatus-admissionregistration-v1alpha1.json deleted file mode 100644 index d1af96187e9288cf49370753a67752df8fafa5fa..0000000000000000000000000000000000000000 --- a/master-standalone/validatingadmissionpolicystatus-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.", - "properties": { - "conditions": { - "description": "The conditions represent the latest available observations of a policy's current state.", - "items": { - "description": "Condition contains details for one aspect of the current state of this API Resource.", - "properties": { - "lastTransitionTime": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "format": "date-time", - "type": "string" - }, - "message": { - "description": "message is a human readable message indicating details about the transition. This may be an empty string.", - "type": "string" - }, - "observedGeneration": { - "description": "observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "reason": { - "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.", - "type": "string" - }, - "status": { - "description": "status of the condition, one of True, False, Unknown.", - "type": "string" - }, - "type": { - "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", - "type": "string" - } - }, - "required": [ - "type", - "status", - "lastTransitionTime", - "reason", - "message" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "The generation observed by the controller.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "typeChecking": { - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "description": "ExpressionWarning is a warning information that targets a specific expression.", - "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": "string" - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", - "type": "string" - } - }, - "required": [ - "fieldRef", - "warning" - ], - "type": [ - "object", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "type": [ - "object", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/validation-admissionregistration-v1alpha1.json b/master-standalone/validation-admissionregistration-v1alpha1.json deleted file mode 100644 index a4effa90f7dda98886dddfdb96cbc642b4f399a6..0000000000000000000000000000000000000000 --- a/master-standalone/validation-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": [ - "string", - "null" - ] - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "expression" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master-standalone/volumeattachment-storage-v1.json b/master-standalone/volumeattachment-storage-v1.json index c83f154afaaca57cc1047ce641c4bb710393979f..5ac4c11d529cd01584558ec8992b7b650e4f640d 100644 --- a/master-standalone/volumeattachment-storage-v1.json +++ b/master-standalone/volumeattachment-storage-v1.json @@ -636,7 +636,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1156,7 +1156,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/volumeattachment.json b/master-standalone/volumeattachment.json index 7fb16a8575ddba2fc88c953b51d6871760392a43..cf49d794fefeb10b7350196e0a208005f55678f9 100644 --- a/master-standalone/volumeattachment.json +++ b/master-standalone/volumeattachment.json @@ -633,7 +633,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1153,7 +1153,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/volumeattachmentlist-storage-v1.json b/master-standalone/volumeattachmentlist-storage-v1.json index edcaad51576fda7b267df821e269271d95319a48..4ffc2df64b8535b7d91c085924960b227c7883b2 100644 --- a/master-standalone/volumeattachmentlist-storage-v1.json +++ b/master-standalone/volumeattachmentlist-storage-v1.json @@ -651,7 +651,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1171,7 +1171,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/volumeattachmentlist.json b/master-standalone/volumeattachmentlist.json index 8c8654d358124f530af299a5fe7160ef8c9230ed..f899ef2fa1adf65d6c851438718057514e685662 100644 --- a/master-standalone/volumeattachmentlist.json +++ b/master-standalone/volumeattachmentlist.json @@ -645,7 +645,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -1165,7 +1165,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/volumeattachmentsource-storage-v1.json b/master-standalone/volumeattachmentsource-storage-v1.json index fd665349d16fde25b6889496e0512869168d28c7..e07e48edb779379a67486c27cf69c8eb0a61a62b 100644 --- a/master-standalone/volumeattachmentsource-storage-v1.json +++ b/master-standalone/volumeattachmentsource-storage-v1.json @@ -352,7 +352,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -872,7 +872,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/volumeattachmentsource.json b/master-standalone/volumeattachmentsource.json index fd665349d16fde25b6889496e0512869168d28c7..e07e48edb779379a67486c27cf69c8eb0a61a62b 100644 --- a/master-standalone/volumeattachmentsource.json +++ b/master-standalone/volumeattachmentsource.json @@ -352,7 +352,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -872,7 +872,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/volumeattachmentspec-storage-v1.json b/master-standalone/volumeattachmentspec-storage-v1.json index e1d6435cadd0f8be023eb0fbb9a85d2269d7684a..cbd4fff44dc88e0bf1cd645115121c682c48e0df 100644 --- a/master-standalone/volumeattachmentspec-storage-v1.json +++ b/master-standalone/volumeattachmentspec-storage-v1.json @@ -369,7 +369,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -889,7 +889,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/volumeattachmentspec.json b/master-standalone/volumeattachmentspec.json index e1d6435cadd0f8be023eb0fbb9a85d2269d7684a..cbd4fff44dc88e0bf1cd645115121c682c48e0df 100644 --- a/master-standalone/volumeattachmentspec.json +++ b/master-standalone/volumeattachmentspec.json @@ -369,7 +369,7 @@ "x-kubernetes-map-type": "atomic" }, "csi": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace", @@ -889,7 +889,7 @@ ] }, "local": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master-standalone/watchevent-meta-v1.json b/master-standalone/watchevent-meta-v1.json index 615f269535675087fd750367322bd541e02e1e46..52055b141276fde02e44b8921996a4527072c074 100644 --- a/master-standalone/watchevent-meta-v1.json +++ b/master-standalone/watchevent-meta-v1.json @@ -286,6 +286,11 @@ "kind": "WatchEvent", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "WatchEvent", diff --git a/master-standalone/watchevent.json b/master-standalone/watchevent.json index 615f269535675087fd750367322bd541e02e1e46..52055b141276fde02e44b8921996a4527072c074 100644 --- a/master-standalone/watchevent.json +++ b/master-standalone/watchevent.json @@ -286,6 +286,11 @@ "kind": "WatchEvent", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "WatchEvent", diff --git a/master/_definitions.json b/master/_definitions.json index 1e23568e88836ddd945c01a812ddd4a5a4a36f19..46d37daa98de9d5a70bb96d28a60bc994c4167cb 100644 --- a/master/_definitions.json +++ b/master/_definitions.json @@ -890,40 +890,24 @@ }, "type": "object" }, - "io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", + "io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration": { + "description": "ApplyConfiguration defines the desired configuration values of an object.", "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", "type": "string" } }, - "required": [ - "key", - "valueExpression" - ], "type": "object" }, - "io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning": { - "description": "ExpressionWarning is a warning information that targets a specific expression.", + "io.k8s.api.admissionregistration.v1alpha1.JSONPatch": { + "description": "JSONPatch defines a JSON Patch.", "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": "string" - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", "type": "string" } }, - "required": [ - "fieldRef", - "warning" - ], "type": "object" }, "io.k8s.api.admissionregistration.v1alpha1.MatchCondition": { @@ -978,111 +962,8 @@ "type": "object", "x-kubernetes-map-type": "atomic" }, - "io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations": { - "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", - "properties": { - "apiGroups": { - "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "apiVersions": { - "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "operations": { - "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resourceNames": { - "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resources": { - "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "scope": { - "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", - "type": "string" - } - }, - "type": "object", - "x-kubernetes-map-type": "atomic" - }, - "io.k8s.api.admissionregistration.v1alpha1.ParamKind": { - "description": "ParamKind is a tuple of Group Kind and Version.", - "properties": { - "apiVersion": { - "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", - "type": "string" - }, - "kind": { - "description": "Kind is the API kind the resources belong to. Required.", - "type": "string" - } - }, - "type": "object", - "x-kubernetes-map-type": "atomic" - }, - "io.k8s.api.admissionregistration.v1alpha1.ParamRef": { - "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", - "properties": { - "name": { - "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", - "type": "string" - }, - "namespace": { - "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", - "type": "string" - }, - "parameterNotFoundAction": { - "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", - "type": "string" - }, - "selector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset." - } - }, - "type": "object", - "x-kubernetes-map-type": "atomic" - }, - "io.k8s.api.admissionregistration.v1alpha1.TypeChecking": { - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object" - }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy": { - "description": "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy": { + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1092,7 +973,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicy" + "MutatingAdmissionPolicy" ] }, "metadata": { @@ -1100,25 +981,21 @@ "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, "spec": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec", - "description": "Specification of the desired behavior of the ValidatingAdmissionPolicy." - }, - "status": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus", - "description": "The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only." + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicy." } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicy", + "kind": "MutatingAdmissionPolicy", "version": "v1alpha1" } ] }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding": { - "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding": { + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1128,7 +1005,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicyBinding" + "MutatingAdmissionPolicyBinding" ] }, "metadata": { @@ -1136,21 +1013,21 @@ "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, "spec": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec", - "description": "Specification of the desired behavior of the ValidatingAdmissionPolicyBinding." + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicyBinding." } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBinding", + "kind": "MutatingAdmissionPolicyBinding", "version": "v1alpha1" } ] }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingList": { - "description": "ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingList": { + "description": "MutatingAdmissionPolicyBindingList is a list of MutatingAdmissionPolicyBinding.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1159,7 +1036,7 @@ "items": { "description": "List of PolicyBinding.", "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding" + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding" }, "type": "array" }, @@ -1167,7 +1044,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicyBindingList" + "MutatingAdmissionPolicyBindingList" ] }, "metadata": { @@ -1182,39 +1059,31 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBindingList", + "kind": "MutatingAdmissionPolicyBindingList", "version": "v1alpha1" } ] }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec": { - "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec": { + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", "properties": { "matchResources": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", - "description": "MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required." + "description": "matchResources limits what resources match this binding and may be mutated by it. Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and matchConditions before the resource may be mutated. When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints and matchConditions must match for the resource to be mutated. Additionally, matchResources.resourceRules are optional and do not constraint matching when unset. Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT." }, "paramRef": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef", - "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." + "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." }, "policyName": { - "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", "type": "string" - }, - "validationActions": { - "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" } }, "type": "object" }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyList": { - "description": "ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyList": { + "description": "MutatingAdmissionPolicyList is a list of MutatingAdmissionPolicy.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -1223,7 +1092,7 @@ "items": { "description": "List of ValidatingAdmissionPolicy.", "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy" + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy" }, "type": "array" }, @@ -1231,7 +1100,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ValidatingAdmissionPolicyList" + "MutatingAdmissionPolicyList" ] }, "metadata": { @@ -1246,28 +1115,20 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyList", + "kind": "MutatingAdmissionPolicyList", "version": "v1alpha1" } ] }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec": { - "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", + "io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec": { + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", "properties": { - "auditAnnotations": { - "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", - "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, "failurePolicy": { - "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", "type": "string" }, "matchConditions": { - "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", "items": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" }, @@ -1281,114 +1142,172 @@ }, "matchConstraints": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", - "description": "MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required." - }, - "paramKind": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", - "description": "ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null." + "description": "matchConstraints specifies what resources this policy is designed to validate. The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT. Required." }, - "validations": { - "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", "items": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Validation" + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Mutation" }, "type": "array", "x-kubernetes-list-type": "atomic" }, + "paramKind": { + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", + "description": "paramKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null." + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": "string" + }, "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", "items": { "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" }, "type": "array", - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object" - }, - "io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus": { - "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.", - "properties": { - "conditions": { - "description": "The conditions represent the latest available observations of a policy's current state.", - "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "The generation observed by the controller.", - "format": "int64", - "type": "integer" - }, - "typeChecking": { - "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.TypeChecking", - "description": "The results of type checking for each expression. Presence of this field indicates the completion of the type checking." + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.admissionregistration.v1alpha1.Validation": { - "description": "Validation specifies the CEL expression which is used to apply the validation.", + "io.k8s.api.admissionregistration.v1alpha1.Mutation": { + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": "string" - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": "string" + "applyConfiguration": { + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration", + "description": "applyConfiguration defines the desired configuration values of an object. The configuration is applied to the admission object using [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff). A CEL expression is used to create apply configuration." }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": "string" - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": "string" - } - }, - "required": [ - "expression" - ], - "type": "object" - }, - "io.k8s.api.admissionregistration.v1alpha1.Variable": { - "description": "Variable is the definition of a variable that is used for composition.", - "properties": { - "expression": { - "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", - "type": "string" + "jsonPatch": { + "$ref": "#/definitions/io.k8s.api.admissionregistration.v1alpha1.JSONPatch", + "description": "jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object. A CEL expression is used to create the JSON patch." }, - "name": { - "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", "type": "string" } }, "required": [ - "name", - "expression" + "patchType" ], "type": "object" }, - "io.k8s.api.admissionregistration.v1beta1.AuditAnnotation": { - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", + "io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations": { + "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": "string" + "apiGroups": { + "description": "APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", + "apiVersions": { + "description": "APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "operations": { + "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "resources": { + "description": "Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + }, + "scope": { + "description": "scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\".", + "type": "string" + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1alpha1.ParamKind": { + "description": "ParamKind is a tuple of Group Kind and Version.", + "properties": { + "apiVersion": { + "description": "APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.", + "type": "string" + }, + "kind": { + "description": "Kind is the API kind the resources belong to. Required.", + "type": "string" + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1alpha1.ParamRef": { + "description": "ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.", + "properties": { + "name": { + "description": "`name` is the name of the resource being referenced.\n\n`name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.", + "type": "string" + }, + "namespace": { + "description": "namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.", + "type": "string" + }, + "parameterNotFoundAction": { + "description": "`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny` Default to `Deny`", + "type": "string" + }, + "selector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset." + } + }, + "type": "object", + "x-kubernetes-map-type": "atomic" + }, + "io.k8s.api.admissionregistration.v1alpha1.Variable": { + "description": "Variable is the definition of a variable that is used for composition.", + "properties": { + "expression": { + "description": "Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation.", + "type": "string" + }, + "name": { + "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`", + "type": "string" + } + }, + "required": [ + "name", + "expression" + ], + "type": "object" + }, + "io.k8s.api.admissionregistration.v1beta1.AuditAnnotation": { + "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", + "properties": { + "key": { + "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", + "type": "string" + }, + "valueExpression": { + "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", "type": "string" } }, @@ -3327,48 +3246,6 @@ }, "type": "object" }, - "io.k8s.api.authentication.v1alpha1.SelfSubjectReview": { - "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "SelfSubjectReview" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "status": { - "$ref": "#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus", - "description": "Status is filled in by the server with the user attributes." - } - }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "authentication.k8s.io", - "kind": "SelfSubjectReview", - "version": "v1alpha1" - } - ] - }, - "io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus": { - "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", - "properties": { - "userInfo": { - "$ref": "#/definitions/io.k8s.api.authentication.v1.UserInfo", - "description": "User attributes of the user making this request." - } - }, - "type": "object" - }, "io.k8s.api.authentication.v1beta1.SelfSubjectReview": { "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", "properties": { @@ -4451,7 +4328,7 @@ "properties": { "containerResource": { "$ref": "#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricSource", - "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag." + "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "external": { "$ref": "#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricSource", @@ -4470,7 +4347,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": "string" } }, @@ -4503,7 +4380,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": "string" } }, @@ -5411,96 +5288,6 @@ }, "type": "object" }, - "io.k8s.api.certificates.v1alpha1.ClusterTrustBundle": { - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "metadata contains the object metadata." - }, - "spec": { - "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec", - "description": "spec contains the signer (if any) and trust anchors." - } - }, - "required": [ - "spec" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ] - }, - "io.k8s.api.certificates.v1alpha1.ClusterTrustBundleList": { - "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "items": { - "description": "items is a collection of ClusterTrustBundle objects", - "items": { - "$ref": "#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle" - }, - "type": "array" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterTrustBundleList" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "metadata contains the list metadata." - } - }, - "required": [ - "items" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundleList", - "version": "v1alpha1" - } - ] - }, - "io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec": { - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": "string" - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": "string" - } - }, - "required": [ - "trustBundle" - ], - "type": "object" - }, "io.k8s.api.coordination.v1.Lease": { "description": "Lease defines a lease concept.", "properties": { @@ -5920,7 +5707,7 @@ ] }, "io.k8s.api.core.v1.CSIPersistentVolumeSource": { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "$ref": "#/definitions/io.k8s.api.core.v1.SecretReference", @@ -8287,7 +8074,7 @@ "x-kubernetes-map-type": "atomic" }, "io.k8s.api.core.v1.LocalVolumeSource": { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", @@ -9357,15 +9144,15 @@ }, "awsElasticBlockStore": { "$ref": "#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureFilePersistentVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "capacity": { "additionalProperties": { @@ -9376,11 +9163,11 @@ }, "cephfs": { "$ref": "#/definitions/io.k8s.api.core.v1.CephFSPersistentVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "#/definitions/io.k8s.api.core.v1.CinderPersistentVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "claimRef": { "$ref": "#/definitions/io.k8s.api.core.v1.ObjectReference", @@ -9389,7 +9176,7 @@ }, "csi": { "$ref": "#/definitions/io.k8s.api.core.v1.CSIPersistentVolumeSource", - "description": "csi represents storage that is handled by an external CSI driver (Beta feature)." + "description": "csi represents storage that is handled by an external CSI driver." }, "fc": { "$ref": "#/definitions/io.k8s.api.core.v1.FCVolumeSource", @@ -9397,19 +9184,19 @@ }, "flexVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.FlexPersistentVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "glusterfs": { "$ref": "#/definitions/io.k8s.api.core.v1.GlusterfsPersistentVolumeSource", - "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -9445,23 +9232,23 @@ }, "photonPersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "quobyte": { "$ref": "#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "#/definitions/io.k8s.api.core.v1.RBDPersistentVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "#/definitions/io.k8s.api.core.v1.ScaleIOPersistentVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "storageClassName": { "description": "storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.", @@ -9469,7 +9256,7 @@ }, "storageos": { "$ref": "#/definitions/io.k8s.api.core.v1.StorageOSPersistentVolumeSource", - "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md" + "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. More info: https://examples.k8s.io/volumes/storageos/README.md" }, "volumeAttributesClassName": { "description": "Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process. This is a beta field and requires enabling VolumeAttributesClass feature (off by default).", @@ -9481,7 +9268,7 @@ }, "vsphereVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "type": "object" @@ -10207,7 +9994,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -10215,7 +10002,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -10237,7 +10024,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "$ref": "#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -12156,23 +11943,23 @@ "properties": { "awsElasticBlockStore": { "$ref": "#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "cephfs": { "$ref": "#/definitions/io.k8s.api.core.v1.CephFSVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "#/definitions/io.k8s.api.core.v1.CinderVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "configMap": { "$ref": "#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource", @@ -12180,7 +11967,7 @@ }, "csi": { "$ref": "#/definitions/io.k8s.api.core.v1.CSIVolumeSource", - "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature)." + "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers." }, "downwardAPI": { "$ref": "#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource", @@ -12200,23 +11987,23 @@ }, "flexVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.FlexVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "gitRepo": { "$ref": "#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource", - "description": "gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." + "description": "gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." }, "glusterfs": { "$ref": "#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource", - "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -12244,11 +12031,11 @@ }, "photonPersistentDisk": { "$ref": "#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "projected": { "$ref": "#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource", @@ -12256,15 +12043,15 @@ }, "quobyte": { "$ref": "#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "#/definitions/io.k8s.api.core.v1.RBDVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "secret": { "$ref": "#/definitions/io.k8s.api.core.v1.SecretVolumeSource", @@ -12272,11 +12059,11 @@ }, "storageos": { "$ref": "#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource", - "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes." + "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported." }, "vsphereVolume": { "$ref": "#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "required": [ @@ -13436,38 +13223,69 @@ ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration": { - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", + "io.k8s.api.networking.v1.HTTPIngressPath": { + "description": "HTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.", "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": "integer" + "backend": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", + "description": "backend defines the referenced service endpoint to which the traffic will be forwarded to." }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": "integer" + "path": { + "description": "path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value \"Exact\" or \"Prefix\".", + "type": "string" + }, + "pathType": { + "description": "pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is\n done on a path element by element basis. A path element refers is the\n list of labels in the path split by the '/' separator. A request is a\n match for path p if every p is an element-wise prefix of p of the\n request path. Note that if the last element of the path is a substring\n of the last element in request path, it is not a match (e.g. /foo/bar\n matches /foo/bar/baz, but does not match /foo/barbaz).\n* ImplementationSpecific: Interpretation of the Path matching is up to\n the IngressClass. Implementations can treat this as a separate PathType\n or treat it identically to Prefix or Exact path types.\nImplementations are required to support all path types.", + "type": "string" } }, + "required": [ + "pathType", + "backend" + ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod": { - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", + "io.k8s.api.networking.v1.HTTPIngressRuleValue": { + "description": "HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.", "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": "string" + "paths": { + "description": "paths is a collection of paths that map requests to backends.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressPath" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "required": [ - "type" + "paths" ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchema": { - "description": "FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".", - "properties": { + "io.k8s.api.networking.v1.IPBlock": { + "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.", + "properties": { + "cidr": { + "description": "cidr is a string representing the IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"", + "type": "string" + }, + "except": { + "description": "except is a slice of CIDRs that should not be included within an IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the cidr range", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "cidr" + ], + "type": "object" + }, + "io.k8s.api.networking.v1.Ingress": { + "description": "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.", + "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" @@ -13476,68 +13294,88 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "FlowSchema" + "Ingress" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec", - "description": "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressSpec", + "description": "spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" }, "status": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus", - "description": "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressStatus", + "description": "status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchema", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "Ingress", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition": { - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", + "io.k8s.api.networking.v1.IngressBackend": { + "description": "IngressBackend describes all endpoints for a given service and port.", "properties": { - "lastTransitionTime": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", - "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." + "resource": { + "$ref": "#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference", + "description": "resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\"." }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", + "service": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressServiceBackend", + "description": "service references a service as a backend. This is a mutually exclusive setting with \"Resource\"." + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressClass": { + "description": "IngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": "string" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IngressClass" + ] }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": "string" + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": "string" + "spec": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassSpec", + "description": "spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "IngressClass", + "version": "v1" + } + ] }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaList": { - "description": "FlowSchemaList is a list of FlowSchema objects.", + "io.k8s.api.networking.v1.IngressClassList": { + "description": "IngressClassList is a collection of IngressClasses.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "`items` is a list of FlowSchemas.", + "description": "items is the list of IngressClasses.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClass" }, "type": "array" }, @@ -13545,12 +13383,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "FlowSchemaList" + "IngressClassList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata." } }, "required": [ @@ -13559,185 +13397,243 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchemaList", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "IngressClassList", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec": { - "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", + "io.k8s.api.networking.v1.IngressClassParametersReference": { + "description": "IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.", "properties": { - "distinguisherMethod": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod", - "description": "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string." + "apiGroup": { + "description": "apiGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.", + "type": "string" }, - "matchingPrecedence": { - "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", - "format": "int32", - "type": "integer" + "kind": { + "description": "kind is the type of resource being referenced.", + "type": "string" }, - "priorityLevelConfiguration": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference", - "description": "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required." + "name": { + "description": "name is the name of resource being referenced.", + "type": "string" }, - "rules": { - "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", - "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "namespace": { + "description": "namespace is the namespace of the resource being referenced. This field is required when scope is set to \"Namespace\" and must be unset when scope is set to \"Cluster\".", + "type": "string" + }, + "scope": { + "description": "scope represents if this refers to a cluster or namespace scoped resource. This may be set to \"Cluster\" (default) or \"Namespace\".", + "type": "string" } }, "required": [ - "priorityLevelConfiguration" + "kind", + "name" ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus": { - "description": "FlowSchemaStatus represents the current state of a FlowSchema.", - "properties": { - "conditions": { - "description": "`conditions` is a list of the current states of FlowSchema.", - "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object" - }, - "io.k8s.api.flowcontrol.v1beta3.GroupSubject": { - "description": "GroupSubject holds detailed information for group-kind subject.", + "io.k8s.api.networking.v1.IngressClassSpec": { + "description": "IngressClassSpec provides information about the class of an Ingress.", "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", + "controller": { + "description": "controller refers to the name of the controller that should handle this class. This allows for different \"flavors\" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. \"acme.io/ingress-controller\". This field is immutable.", "type": "string" + }, + "parameters": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference", + "description": "parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters." } }, - "required": [ - "name" - ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.LimitResponse": { - "description": "LimitResponse defines how to handle requests that can not be executed right now.", + "io.k8s.api.networking.v1.IngressList": { + "description": "IngressList is a collection of Ingress.", "properties": { - "queuing": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration", - "description": "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`." - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" + }, + "items": { + "description": "items is the list of Ingress.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.Ingress" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IngressList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ - "type" + "items" ], "type": "object", - "x-kubernetes-unions": [ + "x-kubernetes-group-version-kind": [ { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } + "group": "networking.k8s.io", + "kind": "IngressList", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration": { - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", + "io.k8s.api.networking.v1.IngressLoadBalancerIngress": { + "description": "IngressLoadBalancerIngress represents the status of a load-balancer ingress point.", "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": "integer" - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": "integer" + "hostname": { + "description": "hostname is set for load-balancer ingress points that are DNS based.", + "type": "string" }, - "limitResponse": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse", - "description": "`limitResponse` indicates what to do with requests that can not be executed right now" + "ip": { + "description": "ip is set for load-balancer ingress points that are IP based.", + "type": "string" }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": "integer" + "ports": { + "description": "ports provides information about the ports exposed by this LoadBalancer.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressPortStatus" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule": { - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", + "io.k8s.api.networking.v1.IngressLoadBalancerStatus": { + "description": "IngressLoadBalancerStatus represents the status of a load-balancer.", "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", + "ingress": { + "description": "ingress is a list containing ingress points for the load-balancer.", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerIngress" }, "type": "array", - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressPortStatus": { + "description": "IngressPortStatus represents the error condition of a service port", + "properties": { + "error": { + "description": "error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase.", + "type": "string" + }, + "port": { + "description": "port is the port number of the ingress port.", + "format": "int32", + "type": "integer" + }, + "protocol": { + "description": "protocol is the protocol of the ingress port. The supported values are: \"TCP\", \"UDP\", \"SCTP\"", + "type": "string" } }, "required": [ - "verbs", - "nonResourceURLs" + "port", + "protocol" ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects": { - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", + "io.k8s.api.networking.v1.IngressRule": { + "description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.", "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", + "host": { + "description": "host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nhost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.", + "type": "string" + }, + "http": { + "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressRuleValue" + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressServiceBackend": { + "description": "IngressServiceBackend references a Kubernetes Service as a Backend.", + "properties": { + "name": { + "description": "name is the referenced service. The service must exist in the same namespace as the Ingress object.", + "type": "string" + }, + "port": { + "$ref": "#/definitions/io.k8s.api.networking.v1.ServiceBackendPort", + "description": "port of the referenced service. A port name or port number is required for a IngressServiceBackend." + } + }, + "required": [ + "name" + ], + "type": "object" + }, + "io.k8s.api.networking.v1.IngressSpec": { + "description": "IngressSpec describes the Ingress the user wishes to exist.", + "properties": { + "defaultBackend": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", + "description": "defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller." + }, + "ingressClassName": { + "description": "ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.", + "type": "string" + }, + "rules": { + "description": "rules is a list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressRule" }, "type": "array", "x-kubernetes-list-type": "atomic" }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", + "tls": { + "description": "tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule" + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressTLS" }, "type": "array", "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressStatus": { + "description": "IngressStatus describe the current state of the Ingress.", + "properties": { + "loadBalancer": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerStatus", + "description": "loadBalancer contains the current status of the load-balancer." + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.IngressTLS": { + "description": "IngressTLS describes the transport layer security associated with an ingress.", + "properties": { + "hosts": { + "description": "hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject" + "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" + }, + "secretName": { + "description": "secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the \"Host\" header is used for routing.", + "type": "string" } }, - "required": [ - "subjects" - ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration": { - "description": "PriorityLevelConfiguration represents the configuration of a priority level.", + "io.k8s.api.networking.v1.NetworkPolicy": { + "description": "NetworkPolicy describes what network traffic is allowed for a set of Pods", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -13747,68 +13643,82 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PriorityLevelConfiguration" + "NetworkPolicy" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec", - "description": "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - }, - "status": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus", - "description": "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec", + "description": "spec represents the specification of the desired behavior for this NetworkPolicy." } }, "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfiguration", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "NetworkPolicy", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition": { - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", + "io.k8s.api.networking.v1.NetworkPolicyEgressRule": { + "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8", "properties": { - "lastTransitionTime": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", - "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": "string" - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": "string" + "ports": { + "description": "ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": "string" + "to": { + "description": "to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.networking.v1.NetworkPolicyIngressRule": { + "description": "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.", + "properties": { + "from": { + "description": "from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": "string" + "ports": { + "description": "ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationList": { - "description": "PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.", + "io.k8s.api.networking.v1.NetworkPolicyList": { + "description": "NetworkPolicyList is a list of NetworkPolicy objects.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "`items` is a list of request-priorities.", + "description": "items is a list of schema objects.", "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicy" }, "type": "array" }, @@ -13816,12 +13726,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PriorityLevelConfigurationList" + "NetworkPolicyList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ @@ -13830,270 +13740,213 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfigurationList", - "version": "v1beta3" + "group": "networking.k8s.io", + "kind": "NetworkPolicyList", + "version": "v1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference": { - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", + "io.k8s.api.networking.v1.NetworkPolicyPeer": { + "description": "NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed", "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": "string" + "ipBlock": { + "$ref": "#/definitions/io.k8s.api.networking.v1.IPBlock", + "description": "ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be." + }, + "namespaceSelector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector." + }, + "podSelector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace." } }, - "required": [ - "name" - ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec": { - "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", + "io.k8s.api.networking.v1.NetworkPolicyPort": { + "description": "NetworkPolicyPort describes a port to allow traffic on", "properties": { - "exempt": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration", - "description": "`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply." + "endPort": { + "description": "endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.", + "format": "int32", + "type": "integer" }, - "limited": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration", - "description": "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`." + "port": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", + "description": "port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched." }, - "type": { - "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", + "protocol": { + "description": "protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.", "type": "string" } }, - "required": [ - "type" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "exempt": "Exempt", - "limited": "Limited" - } - } - ] + "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus": { - "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", - "properties": { - "conditions": { - "description": "`conditions` is the current state of \"request-priority\".", - "items": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition" - }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object" - }, - "io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration": { - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": "integer" - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": "integer" - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": "integer" - } - }, - "type": "object" - }, - "io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule": { - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", + "io.k8s.api.networking.v1.NetworkPolicySpec": { + "description": "NetworkPolicySpec provides the specification of a NetworkPolicy", "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", + "egress": { + "description": "egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule" }, "type": "array", - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": "boolean" + "x-kubernetes-list-type": "atomic" }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", + "ingress": { + "description": "ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule" }, "type": "array", - "x-kubernetes-list-type": "set" + "x-kubernetes-list-type": "atomic" }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "set" + "podSelector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace." }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", + "policyTypes": { + "description": "policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8", "items": { "type": "string" }, "type": "array", - "x-kubernetes-list-type": "set" + "x-kubernetes-list-type": "atomic" } }, "required": [ - "verbs", - "apiGroups", - "resources" + "podSelector" ], "type": "object" }, - "io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject": { - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", + "io.k8s.api.networking.v1.ServiceBackendPort": { + "description": "ServiceBackendPort is the service port being referenced.", "properties": { "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", + "description": "name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".", "type": "string" }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": "string" + "number": { + "description": "number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".", + "format": "int32", + "type": "integer" } }, - "required": [ - "namespace", - "name" - ], - "type": "object" + "type": "object", + "x-kubernetes-map-type": "atomic" }, - "io.k8s.api.flowcontrol.v1beta3.Subject": { - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", + "io.k8s.api.networking.v1beta1.IPAddress": { + "description": "IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of the object is the IP address in canonical format, four decimal digits separated by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1", "properties": { - "group": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.GroupSubject", - "description": "`group` matches based on user group name." + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" }, "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": "string" + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IPAddress" + ] }, - "serviceAccount": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject", - "description": "`serviceAccount` matches ServiceAccounts." + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, - "user": { - "$ref": "#/definitions/io.k8s.api.flowcontrol.v1beta3.UserSubject", - "description": "`user` matches based on username." + "spec": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddressSpec", + "description": "spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, - "required": [ - "kind" - ], "type": "object", - "x-kubernetes-unions": [ + "x-kubernetes-group-version-kind": [ { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } + "group": "networking.k8s.io", + "kind": "IPAddress", + "version": "v1beta1" } ] }, - "io.k8s.api.flowcontrol.v1beta3.UserSubject": { - "description": "UserSubject holds detailed information for user-kind subject.", + "io.k8s.api.networking.v1beta1.IPAddressList": { + "description": "IPAddressList contains a list of IPAddress.", "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" - } - }, - "required": [ - "name" - ], - "type": "object" - }, - "io.k8s.api.networking.v1.HTTPIngressPath": { - "description": "HTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.", - "properties": { - "backend": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", - "description": "backend defines the referenced service endpoint to which the traffic will be forwarded to." }, - "path": { - "description": "path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/' and must be present when using PathType with value \"Exact\" or \"Prefix\".", - "type": "string" + "items": { + "description": "items is the list of IPAddresses.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddress" + }, + "type": "array" }, - "pathType": { - "description": "pathType determines the interpretation of the path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is\n done on a path element by element basis. A path element refers is the\n list of labels in the path split by the '/' separator. A request is a\n match for path p if every p is an element-wise prefix of p of the\n request path. Note that if the last element of the path is a substring\n of the last element in request path, it is not a match (e.g. /foo/bar\n matches /foo/bar/baz, but does not match /foo/barbaz).\n* ImplementationSpecific: Interpretation of the Path matching is up to\n the IngressClass. Implementations can treat this as a separate PathType\n or treat it identically to Prefix or Exact path types.\nImplementations are required to support all path types.", - "type": "string" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "IPAddressList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ - "pathType", - "backend" + "items" ], - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "IPAddressList", + "version": "v1beta1" + } + ] }, - "io.k8s.api.networking.v1.HTTPIngressRuleValue": { - "description": "HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http://<host>/<path>?<searchpart> -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.", + "io.k8s.api.networking.v1beta1.IPAddressSpec": { + "description": "IPAddressSpec describe the attributes in an IP Address.", "properties": { - "paths": { - "description": "paths is a collection of paths that map requests to backends.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressPath" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "parentRef": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ParentReference", + "description": "ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object." } }, "required": [ - "paths" + "parentRef" ], "type": "object" }, - "io.k8s.api.networking.v1.IPBlock": { - "description": "IPBlock describes a particular CIDR (Ex. \"192.168.1.0/24\",\"2001:db8::/64\") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.", + "io.k8s.api.networking.v1beta1.ParentReference": { + "description": "ParentReference describes a reference to a parent object.", "properties": { - "cidr": { - "description": "cidr is a string representing the IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\"", + "group": { + "description": "Group is the group of the object being referenced.", "type": "string" }, - "except": { - "description": "except is a slice of CIDRs that should not be included within an IPBlock Valid examples are \"192.168.1.0/24\" or \"2001:db8::/64\" Except values will be rejected if they are outside the cidr range", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "name": { + "description": "Name is the name of the object being referenced.", + "type": "string" + }, + "namespace": { + "description": "Namespace is the namespace of the object being referenced.", + "type": "string" + }, + "resource": { + "description": "Resource is the resource of the object being referenced.", + "type": "string" } }, "required": [ - "cidr" + "resource", + "name" ], "type": "object" }, - "io.k8s.api.networking.v1.Ingress": { - "description": "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.", + "io.k8s.api.networking.v1beta1.ServiceCIDR": { + "description": "ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to allocate ClusterIPs to Service objects.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14103,7 +13956,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "Ingress" + "ServiceCIDR" ] }, "metadata": { @@ -14111,80 +13964,161 @@ "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressSpec", - "description": "spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRSpec", + "description": "spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" }, "status": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressStatus", - "description": "status is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRStatus", + "description": "status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "networking.k8s.io", - "kind": "Ingress", - "version": "v1" + "kind": "ServiceCIDR", + "version": "v1beta1" } ] }, - "io.k8s.api.networking.v1.IngressBackend": { - "description": "IngressBackend describes all endpoints for a given service and port.", - "properties": { - "resource": { - "$ref": "#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference", - "description": "resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with \"Service\"." + "io.k8s.api.networking.v1beta1.ServiceCIDRList": { + "description": "ServiceCIDRList contains a list of ServiceCIDR objects.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" }, - "service": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressServiceBackend", - "description": "service references a service as a backend. This is a mutually exclusive setting with \"Resource\"." + "items": { + "description": "items is the list of ServiceCIDRs.", + "items": { + "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDR" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ServiceCIDRList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "networking.k8s.io", + "kind": "ServiceCIDRList", + "version": "v1beta1" + } + ] + }, + "io.k8s.api.networking.v1beta1.ServiceCIDRSpec": { + "description": "ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services.", + "properties": { + "cidrs": { + "description": "CIDRs defines the IP blocks in CIDR notation (e.g. \"192.168.0.0/24\" or \"2001:db8::/64\") from which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family. This field is immutable.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.networking.v1.IngressClass": { - "description": "IngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.", + "io.k8s.api.networking.v1beta1.ServiceCIDRStatus": { + "description": "ServiceCIDRStatus describes the current state of the ServiceCIDR.", + "properties": { + "conditions": { + "description": "conditions holds an array of metav1.Condition that describe the state of the ServiceCIDR. Current service state", + "items": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge" + } + }, + "type": "object" + }, + "io.k8s.api.node.v1.Overhead": { + "description": "Overhead structure represents the resource overhead associated with running a pod.", + "properties": { + "podFixed": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + }, + "description": "podFixed represents the fixed resource overhead associated with running a pod.", + "type": "object" + } + }, + "type": "object" + }, + "io.k8s.api.node.v1.RuntimeClass": { + "description": "RuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod. For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, + "handler": { + "description": "handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration. It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called \"runc\" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.", + "type": "string" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IngressClass" + "RuntimeClass" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassSpec", - "description": "spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "overhead": { + "$ref": "#/definitions/io.k8s.api.node.v1.Overhead", + "description": "overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/" + }, + "scheduling": { + "$ref": "#/definitions/io.k8s.api.node.v1.Scheduling", + "description": "scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes." } }, + "required": [ + "handler" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IngressClass", + "group": "node.k8s.io", + "kind": "RuntimeClass", "version": "v1" } ] }, - "io.k8s.api.networking.v1.IngressClassList": { - "description": "IngressClassList is a collection of IngressClasses.", + "io.k8s.api.node.v1.RuntimeClassList": { + "description": "RuntimeClassList is a list of RuntimeClass objects.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is the list of IngressClasses.", + "description": "items is a list of schema objects.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClass" + "$ref": "#/definitions/io.k8s.api.node.v1.RuntimeClass" }, "type": "array" }, @@ -14192,12 +14126,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IngressClassList" + "RuntimeClassList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard list metadata." + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" } }, "required": [ @@ -14206,67 +14140,113 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IngressClassList", + "group": "node.k8s.io", + "kind": "RuntimeClassList", "version": "v1" } ] }, - "io.k8s.api.networking.v1.IngressClassParametersReference": { - "description": "IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.", + "io.k8s.api.node.v1.Scheduling": { + "description": "Scheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.", "properties": { - "apiGroup": { - "description": "apiGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.", - "type": "string" + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "description": "nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.", + "type": "object", + "x-kubernetes-map-type": "atomic" }, - "kind": { - "description": "kind is the type of resource being referenced.", + "tolerations": { + "description": "tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.", + "items": { + "$ref": "#/definitions/io.k8s.api.core.v1.Toleration" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.policy.v1.Eviction": { + "description": "Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "name": { - "description": "name is the name of resource being referenced.", - "type": "string" + "deleteOptions": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions", + "description": "DeleteOptions may be provided" }, - "namespace": { - "description": "namespace is the namespace of the resource being referenced. This field is required when scope is set to \"Namespace\" and must be unset when scope is set to \"Cluster\".", - "type": "string" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "Eviction" + ] }, - "scope": { - "description": "scope represents if this refers to a cluster or namespace scoped resource. This may be set to \"Cluster\" (default) or \"Namespace\".", - "type": "string" + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "ObjectMeta describes the pod that is being evicted." } }, - "required": [ - "kind", - "name" - ], - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "policy", + "kind": "Eviction", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1.IngressClassSpec": { - "description": "IngressClassSpec provides information about the class of an Ingress.", + "io.k8s.api.policy.v1.PodDisruptionBudget": { + "description": "PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods", "properties": { - "controller": { - "description": "controller refers to the name of the controller that should handle this class. This allows for different \"flavors\" that are controlled by the same controller. For example, you may have different parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. \"acme.io/ingress-controller\". This field is immutable.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "parameters": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference", - "description": "parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters." + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "PodDisruptionBudget" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec", + "description": "Specification of the desired behavior of the PodDisruptionBudget." + }, + "status": { + "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus", + "description": "Most recently observed status of the PodDisruptionBudget." } }, - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "policy", + "kind": "PodDisruptionBudget", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1.IngressList": { - "description": "IngressList is a collection of Ingress.", + "io.k8s.api.policy.v1.PodDisruptionBudgetList": { + "description": "PodDisruptionBudgetList is a collection of PodDisruptionBudgets.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is the list of Ingress.", + "description": "Items is a list of PodDisruptionBudgets", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.Ingress" + "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget" }, "type": "array" }, @@ -14274,7 +14254,7 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IngressList" + "PodDisruptionBudgetList" ] }, "metadata": { @@ -14288,246 +14268,238 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IngressList", + "group": "policy", + "kind": "PodDisruptionBudgetList", "version": "v1" } ] }, - "io.k8s.api.networking.v1.IngressLoadBalancerIngress": { - "description": "IngressLoadBalancerIngress represents the status of a load-balancer ingress point.", + "io.k8s.api.policy.v1.PodDisruptionBudgetSpec": { + "description": "PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.", "properties": { - "hostname": { - "description": "hostname is set for load-balancer ingress points that are DNS based.", - "type": "string" - }, - "ip": { - "description": "ip is set for load-balancer ingress points that are IP based.", - "type": "string" + "maxUnavailable": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", + "description": "An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\"." }, - "ports": { - "description": "ports provides information about the ports exposed by this LoadBalancer.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressPortStatus" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "minAvailable": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", + "description": "An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying \"100%\"." + }, + "selector": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", + "description": "Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.", + "x-kubernetes-patch-strategy": "replace" + }, + "unhealthyPodEvictionPolicy": { + "description": "UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=\"Ready\",status=\"True\".\n\nValid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.\n\nIfHealthyBudget policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.\n\nAlwaysAllow policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n\nAdditional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.\n\nThis field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).", + "type": "string" } }, "type": "object" }, - "io.k8s.api.networking.v1.IngressLoadBalancerStatus": { - "description": "IngressLoadBalancerStatus represents the status of a load-balancer.", + "io.k8s.api.policy.v1.PodDisruptionBudgetStatus": { + "description": "PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.", "properties": { - "ingress": { - "description": "ingress is a list containing ingress points for the load-balancer.", + "conditions": { + "description": "Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute\n the number of allowed disruptions. Therefore no disruptions are\n allowed and the status of the condition will be False.\n- InsufficientPods: The number of pods are either at or below the number\n required by the PodDisruptionBudget. No disruptions are\n allowed and the status of the condition will be False.\n- SufficientPods: There are more pods than required by the PodDisruptionBudget.\n The condition will be True, and the number of allowed\n disruptions are provided by the disruptionsAllowed property.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerIngress" + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" }, "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.IngressPortStatus": { - "description": "IngressPortStatus represents the error condition of a service port", - "properties": { - "error": { - "description": "error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use\n CamelCase names\n- cloud provider specific error values must have names that comply with the\n format foo.example.com/CamelCase.", - "type": "string" + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "type", + "x-kubernetes-patch-strategy": "merge" }, - "port": { - "description": "port is the port number of the ingress port.", + "currentHealthy": { + "description": "current number of healthy pods", "format": "int32", "type": "integer" }, - "protocol": { - "description": "protocol is the protocol of the ingress port. The supported values are: \"TCP\", \"UDP\", \"SCTP\"", - "type": "string" + "desiredHealthy": { + "description": "minimum desired number of healthy pods", + "format": "int32", + "type": "integer" + }, + "disruptedPods": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + }, + "description": "DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.", + "type": "object" + }, + "disruptionsAllowed": { + "description": "Number of pod disruptions that are currently allowed.", + "format": "int32", + "type": "integer" + }, + "expectedPods": { + "description": "total number of pods counted by this disruption budget", + "format": "int32", + "type": "integer" + }, + "observedGeneration": { + "description": "Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.", + "format": "int64", + "type": "integer" } }, "required": [ - "port", - "protocol" + "disruptionsAllowed", + "currentHealthy", + "desiredHealthy", + "expectedPods" ], "type": "object" }, - "io.k8s.api.networking.v1.IngressRule": { - "description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.", + "io.k8s.api.rbac.v1.AggregationRule": { + "description": "AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole", "properties": { - "host": { - "description": "host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nhost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If host is precise, the request matches this rule if the http host header is equal to Host. 2. If host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.", - "type": "string" - }, - "http": { - "$ref": "#/definitions/io.k8s.api.networking.v1.HTTPIngressRuleValue" + "clusterRoleSelectors": { + "description": "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added", + "items": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.networking.v1.IngressServiceBackend": { - "description": "IngressServiceBackend references a Kubernetes Service as a Backend.", + "io.k8s.api.rbac.v1.ClusterRole": { + "description": "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.", "properties": { - "name": { - "description": "name is the referenced service. The service must exist in the same namespace as the Ingress object.", + "aggregationRule": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.AggregationRule", + "description": "AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller." + }, + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "port": { - "$ref": "#/definitions/io.k8s.api.networking.v1.ServiceBackendPort", - "description": "port of the referenced service. A port name or port number is required for a IngressServiceBackend." - } - }, - "required": [ - "name" - ], - "type": "object" - }, - "io.k8s.api.networking.v1.IngressSpec": { - "description": "IngressSpec describes the Ingress the user wishes to exist.", - "properties": { - "defaultBackend": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressBackend", - "description": "defaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller." + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ClusterRole" + ] }, - "ingressClassName": { - "description": "ingressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.", - "type": "string" + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata." }, "rules": { - "description": "rules is a list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressRule" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "tls": { - "description": "tls represents the TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.", + "description": "Rules holds all the PolicyRules for this ClusterRole", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressTLS" + "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, - "type": "object" - }, - "io.k8s.api.networking.v1.IngressStatus": { - "description": "IngressStatus describe the current state of the Ingress.", - "properties": { - "loadBalancer": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerStatus", - "description": "loadBalancer contains the current status of the load-balancer." + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRole", + "version": "v1" } - }, - "type": "object" + ] }, - "io.k8s.api.networking.v1.IngressTLS": { - "description": "IngressTLS describes the transport layer security associated with an ingress.", + "io.k8s.api.rbac.v1.ClusterRoleBinding": { + "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", "properties": { - "hosts": { - "description": "hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ClusterRoleBinding" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata." + }, + "roleRef": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", + "description": "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + }, + "subjects": { + "description": "Subjects holds references to the objects the role applies to.", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" }, "type": "array", "x-kubernetes-list-type": "atomic" - }, - "secretName": { - "description": "secretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the \"Host\" header field used by an IngressRule, the SNI host is used for termination and value of the \"Host\" header is used for routing.", - "type": "string" } }, - "type": "object" + "required": [ + "roleRef" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRoleBinding", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1.NetworkPolicy": { - "description": "NetworkPolicy describes what network traffic is allowed for a set of Pods", + "io.k8s.api.rbac.v1.ClusterRoleBindingList": { + "description": "ClusterRoleBindingList is a collection of ClusterRoleBindings", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, + "items": { + "description": "Items is a list of ClusterRoleBindings", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding" + }, + "type": "array" + }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "NetworkPolicy" + "ClusterRoleBindingList" ] }, "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec", - "description": "spec represents the specification of the desired behavior for this NetworkPolicy." + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata." } }, + "required": [ + "items" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "NetworkPolicy", + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRoleBindingList", "version": "v1" } ] }, - "io.k8s.api.networking.v1.NetworkPolicyEgressRule": { - "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8", - "properties": { - "ports": { - "description": "ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "to": { - "description": "to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.NetworkPolicyIngressRule": { - "description": "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.", - "properties": { - "from": { - "description": "from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "ports": { - "description": "ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.NetworkPolicyList": { - "description": "NetworkPolicyList is a list of NetworkPolicy objects.", + "io.k8s.api.rbac.v1.ClusterRoleList": { + "description": "ClusterRoleList is a collection of ClusterRoles", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is a list of schema objects.", + "description": "Items is a list of ClusterRoles", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicy" + "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRole" }, "type": "array" }, @@ -14535,12 +14507,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "NetworkPolicyList" + "ClusterRoleList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." } }, "required": [ @@ -14549,74 +14521,49 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "NetworkPolicyList", + "group": "rbac.authorization.k8s.io", + "kind": "ClusterRoleList", "version": "v1" } ] }, - "io.k8s.api.networking.v1.NetworkPolicyPeer": { - "description": "NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed", - "properties": { - "ipBlock": { - "$ref": "#/definitions/io.k8s.api.networking.v1.IPBlock", - "description": "ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be." - }, - "namespaceSelector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector." - }, - "podSelector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace." - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.NetworkPolicyPort": { - "description": "NetworkPolicyPort describes a port to allow traffic on", + "io.k8s.api.rbac.v1.PolicyRule": { + "description": "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.", "properties": { - "endPort": { - "description": "endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.", - "format": "int32", - "type": "integer" - }, - "port": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", - "description": "port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched." + "apiGroups": { + "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "protocol": { - "description": "protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.", - "type": "string" - } - }, - "type": "object" - }, - "io.k8s.api.networking.v1.NetworkPolicySpec": { - "description": "NetworkPolicySpec provides the specification of a NetworkPolicy", - "properties": { - "egress": { - "description": "egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8", + "nonResourceURLs": { + "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule" + "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, - "ingress": { - "description": "ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)", + "resourceNames": { + "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule" + "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, - "podSelector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace." + "resources": { + "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "policyTypes": { - "description": "policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8", + "verbs": { + "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", "items": { "type": "string" }, @@ -14625,28 +14572,48 @@ } }, "required": [ - "podSelector" + "verbs" ], "type": "object" }, - "io.k8s.api.networking.v1.ServiceBackendPort": { - "description": "ServiceBackendPort is the service port being referenced.", + "io.k8s.api.rbac.v1.Role": { + "description": "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.", "properties": { - "name": { - "description": "name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".", + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "number": { - "description": "number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".", - "format": "int32", - "type": "integer" + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "Role" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object's metadata." + }, + "rules": { + "description": "Rules holds all the PolicyRules for this Role", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object", - "x-kubernetes-map-type": "atomic" + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "Role", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1beta1.IPAddress": { - "description": "IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of the object is the IP address in canonical format, four decimal digits separated by dots suppressing leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1", + "io.k8s.api.rbac.v1.RoleBinding": { + "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14656,38 +14623,49 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IPAddress" + "RoleBinding" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddressSpec", - "description": "spec is the desired state of the IPAddress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "roleRef": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", + "description": "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + }, + "subjects": { + "description": "Subjects holds references to the objects the role applies to.", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, + "required": [ + "roleRef" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IPAddress", - "version": "v1beta1" + "group": "rbac.authorization.k8s.io", + "kind": "RoleBinding", + "version": "v1" } ] }, - "io.k8s.api.networking.v1beta1.IPAddressList": { - "description": "IPAddressList contains a list of IPAddress.", + "io.k8s.api.rbac.v1.RoleBindingList": { + "description": "RoleBindingList is a collection of RoleBindings", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "items is the list of IPAddresses.", + "description": "Items is a list of RoleBindings", "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.IPAddress" + "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleBinding" }, "type": "array" }, @@ -14695,12 +14673,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "IPAddressList" + "RoleBindingList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object's metadata." } }, "required": [ @@ -14709,267 +14687,205 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "networking.k8s.io", - "kind": "IPAddressList", - "version": "v1beta1" + "group": "rbac.authorization.k8s.io", + "kind": "RoleBindingList", + "version": "v1" } ] }, - "io.k8s.api.networking.v1beta1.IPAddressSpec": { - "description": "IPAddressSpec describe the attributes in an IP Address.", + "io.k8s.api.rbac.v1.RoleList": { + "description": "RoleList is a collection of Roles", "properties": { - "parentRef": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ParentReference", - "description": "ParentRef references the resource that an IPAddress is attached to. An IPAddress must reference a parent object." + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "Items is a list of Roles", + "items": { + "$ref": "#/definitions/io.k8s.api.rbac.v1.Role" + }, + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "RoleList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard object's metadata." } }, "required": [ - "parentRef" + "items" ], - "type": "object" + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "rbac.authorization.k8s.io", + "kind": "RoleList", + "version": "v1" + } + ] }, - "io.k8s.api.networking.v1beta1.ParentReference": { - "description": "ParentReference describes a reference to a parent object.", + "io.k8s.api.rbac.v1.RoleRef": { + "description": "RoleRef contains information that points to the role being used", "properties": { - "group": { - "description": "Group is the group of the object being referenced.", - "type": "string" - }, - "name": { - "description": "Name is the name of the object being referenced.", + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced", "type": "string" }, - "namespace": { - "description": "Namespace is the namespace of the object being referenced.", + "kind": { + "description": "Kind is the type of resource being referenced", "type": "string" }, - "resource": { - "description": "Resource is the resource of the object being referenced.", + "name": { + "description": "Name is the name of resource being referenced", "type": "string" } }, "required": [ - "resource", + "apiGroup", + "kind", "name" ], - "type": "object" + "type": "object", + "x-kubernetes-map-type": "atomic" }, - "io.k8s.api.networking.v1beta1.ServiceCIDR": { - "description": "ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to allocate ClusterIPs to Service objects.", + "io.k8s.api.rbac.v1.Subject": { + "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "apiGroup": { + "description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", "type": "string" }, "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ServiceCIDR" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "spec": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRSpec", - "description": "spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - }, - "status": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRStatus", - "description": "status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - } - }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "networking.k8s.io", - "kind": "ServiceCIDR", - "version": "v1beta1" - } - ] - }, - "io.k8s.api.networking.v1beta1.ServiceCIDRList": { - "description": "ServiceCIDRList contains a list of ServiceCIDR objects.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.", "type": "string" }, - "items": { - "description": "items is the list of ServiceCIDRs.", - "items": { - "$ref": "#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDR" - }, - "type": "array" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ServiceCIDRList" - ] + "name": { + "description": "Name of the object being referenced.", + "type": "string" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "namespace": { + "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.", + "type": "string" } }, "required": [ - "items" + "kind", + "name" ], "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "networking.k8s.io", - "kind": "ServiceCIDRList", - "version": "v1beta1" - } - ] + "x-kubernetes-map-type": "atomic" }, - "io.k8s.api.networking.v1beta1.ServiceCIDRSpec": { - "description": "ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services.", + "io.k8s.api.resource.v1alpha3.AllocationResult": { + "description": "AllocationResult contains attributes of an allocated resource.", "properties": { - "cidrs": { - "description": "CIDRs defines the IP blocks in CIDR notation (e.g. \"192.168.0.0/24\" or \"2001:db8::/64\") from which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family. This field is immutable.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "devices": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationResult", + "description": "Devices is the result of allocating devices." + }, + "nodeSelector": { + "$ref": "#/definitions/io.k8s.api.core.v1.NodeSelector", + "description": "NodeSelector defines where the allocated resources are available. If unset, they are available everywhere." } }, "type": "object" }, - "io.k8s.api.networking.v1beta1.ServiceCIDRStatus": { - "description": "ServiceCIDRStatus describes the current state of the ServiceCIDR.", + "io.k8s.api.resource.v1alpha3.BasicDevice": { + "description": "BasicDevice defines one device instance.", "properties": { - "conditions": { - "description": "conditions holds an array of metav1.Condition that describe the state of the ServiceCIDR. Current service state", - "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + "attributes": { + "additionalProperties": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAttribute" }, - "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object" - }, - "io.k8s.api.node.v1.Overhead": { - "description": "Overhead structure represents the resource overhead associated with running a pod.", - "properties": { - "podFixed": { + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": "object" + }, + "capacity": { "additionalProperties": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" }, - "description": "podFixed represents the fixed resource overhead associated with running a pod.", + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": "object" } }, "type": "object" }, - "io.k8s.api.node.v1.RuntimeClass": { - "description": "RuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod. For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/", + "io.k8s.api.resource.v1alpha3.CELDeviceSelector": { + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", "type": "string" + } + }, + "required": [ + "expression" + ], + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.Device": { + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", + "properties": { + "basic": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.BasicDevice", + "description": "Basic defines one device instance." }, - "handler": { - "description": "handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration. It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called \"runc\" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.", + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "RuntimeClass" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "overhead": { - "$ref": "#/definitions/io.k8s.api.node.v1.Overhead", - "description": "overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see\n https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/" - }, - "scheduling": { - "$ref": "#/definitions/io.k8s.api.node.v1.Scheduling", - "description": "scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes." } }, "required": [ - "handler" + "name" ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "node.k8s.io", - "kind": "RuntimeClass", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.node.v1.RuntimeClassList": { - "description": "RuntimeClassList is a list of RuntimeClass objects.", + "io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration": { + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" + "opaque": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." }, - "items": { - "description": "items is a list of schema objects.", + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", "items": { - "$ref": "#/definitions/io.k8s.api.node.v1.RuntimeClass" + "type": "string" }, - "type": "array" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "RuntimeClassList" - ] + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": "string" } }, "required": [ - "items" + "source" ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "node.k8s.io", - "kind": "RuntimeClassList", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.node.v1.Scheduling": { - "description": "Scheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.", + "io.k8s.api.resource.v1alpha3.DeviceAllocationResult": { + "description": "DeviceAllocationResult is the result of allocating devices.", "properties": { - "nodeSelector": { - "additionalProperties": { - "type": "string" + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration" }, - "description": "nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.", - "type": "object", - "x-kubernetes-map-type": "atomic" + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "tolerations": { - "description": "tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.", + "results": { + "description": "Results lists all allocated devices.", "items": { - "$ref": "#/definitions/io.k8s.api.core.v1.Toleration" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -14977,40 +14893,79 @@ }, "type": "object" }, - "io.k8s.api.policy.v1.Eviction": { - "description": "Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.", + "io.k8s.api.resource.v1alpha3.DeviceAttribute": { + "description": "DeviceAttribute must have exactly one field set.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "bool": { + "description": "BoolValue is a true/false value.", + "type": "boolean" + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": "integer" + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", "type": "string" }, - "deleteOptions": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions", - "description": "DeleteOptions may be provided" + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": "string" + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceClaim": { + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "Eviction" - ] + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceConstraint" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "ObjectMeta describes the pod that is being evicted." + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequest" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration": { + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": "string" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "policy", - "kind": "Eviction", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.policy.v1.PodDisruptionBudget": { - "description": "PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods", + "io.k8s.api.resource.v1alpha3.DeviceClass": { + "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15020,42 +14975,51 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PodDisruptionBudget" + "DeviceClass" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec", - "description": "Specification of the desired behavior of the PodDisruptionBudget." - }, - "status": { - "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus", - "description": "Most recently observed status of the PodDisruptionBudget." + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassSpec", + "description": "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number." } }, + "required": [ + "spec" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "policy", - "kind": "PodDisruptionBudget", - "version": "v1" + "group": "resource.k8s.io", + "kind": "DeviceClass", + "version": "v1alpha3" } ] }, - "io.k8s.api.policy.v1.PodDisruptionBudgetList": { - "description": "PodDisruptionBudgetList is a collection of PodDisruptionBudgets.", + "io.k8s.api.resource.v1alpha3.DeviceClassConfiguration": { + "description": "DeviceClassConfiguration is used in DeviceClass.", + "properties": { + "opaque": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceClassList": { + "description": "DeviceClassList is a collection of classes.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "Items is a list of PodDisruptionBudgets", + "description": "Items is the list of resource classes.", "items": { - "$ref": "#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClass" }, "type": "array" }, @@ -15063,12 +15027,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "PodDisruptionBudgetList" + "DeviceClassList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata" } }, "required": [ @@ -15077,148 +15041,153 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "policy", - "kind": "PodDisruptionBudgetList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "DeviceClassList", + "version": "v1alpha3" } ] }, - "io.k8s.api.policy.v1.PodDisruptionBudgetSpec": { - "description": "PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.", + "io.k8s.api.resource.v1alpha3.DeviceClassSpec": { + "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", "properties": { - "maxUnavailable": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", - "description": "An eviction is allowed if at most \"maxUnavailable\" pods selected by \"selector\" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with \"minAvailable\"." - }, - "minAvailable": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString", - "description": "An eviction is allowed if at least \"minAvailable\" pods selected by \"selector\" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying \"100%\"." - }, - "selector": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector", - "description": "Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.", - "x-kubernetes-patch-strategy": "replace" + "config": { + "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassConfiguration" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "unhealthyPodEvictionPolicy": { - "description": "UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods should be considered for eviction. Current implementation considers healthy pods, as pods that have status.conditions item with type=\"Ready\",status=\"True\".\n\nValid policies are IfHealthyBudget and AlwaysAllow. If no policy is specified, the default behavior will be used, which corresponds to the IfHealthyBudget policy.\n\nIfHealthyBudget policy means that running pods (status.phase=\"Running\"), but not yet healthy can be evicted only if the guarded application is not disrupted (status.currentHealthy is at least equal to status.desiredHealthy). Healthy pods will be subject to the PDB for eviction.\n\nAlwaysAllow policy means that all running pods (status.phase=\"Running\"), but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met. This means perspective running pods of a disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction.\n\nAdditional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in this field.\n\nThis field is beta-level. The eviction API uses this field when the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).", - "type": "string" + "selectors": { + "description": "Each selector must be satisfied by a device which is claimed via this class.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" } }, "type": "object" }, - "io.k8s.api.policy.v1.PodDisruptionBudgetStatus": { - "description": "PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.", + "io.k8s.api.resource.v1alpha3.DeviceConstraint": { + "description": "DeviceConstraint must have exactly one field set besides Requests.", "properties": { - "conditions": { - "description": "Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute\n the number of allowed disruptions. Therefore no disruptions are\n allowed and the status of the condition will be False.\n- InsufficientPods: The number of pods are either at or below the number\n required by the PodDisruptionBudget. No disruptions are\n allowed and the status of the condition will be False.\n- SufficientPods: There are more pods than required by the PodDisruptionBudget.\n The condition will be True, and the number of allowed\n disruptions are provided by the disruptionsAllowed property.", + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": "string" + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" + "type": "string" }, "type": "array", - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceRequest": { + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": "boolean" }, - "currentHealthy": { - "description": "current number of healthy pods", - "format": "int32", - "type": "integer" + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": "string" }, - "desiredHealthy": { - "description": "minimum desired number of healthy pods", - "format": "int32", + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", "type": "integer" }, - "disruptedPods": { - "additionalProperties": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time" + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": "string" + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": "string" + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" }, - "description": "DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.", - "type": "object" + "type": "array", + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult": { + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": "boolean" }, - "disruptionsAllowed": { - "description": "Number of pod disruptions that are currently allowed.", - "format": "int32", - "type": "integer" + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": "string" }, - "expectedPods": { - "description": "total number of pods counted by this disruption budget", - "format": "int32", - "type": "integer" + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": "string" }, - "observedGeneration": { - "description": "Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.", - "format": "int64", - "type": "integer" + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": "string" + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": "string" } }, "required": [ - "disruptionsAllowed", - "currentHealthy", - "desiredHealthy", - "expectedPods" + "request", + "driver", + "pool", + "device" ], "type": "object" }, - "io.k8s.api.rbac.v1.AggregationRule": { - "description": "AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole", + "io.k8s.api.resource.v1alpha3.DeviceSelector": { + "description": "DeviceSelector must have exactly one field set.", "properties": { - "clusterRoleSelectors": { - "description": "ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added", - "items": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "cel": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.CELDeviceSelector", + "description": "CEL contains a CEL expression for selecting a device." } }, "type": "object" }, - "io.k8s.api.rbac.v1.ClusterRole": { - "description": "ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.", + "io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration": { + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", "properties": { - "aggregationRule": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.AggregationRule", - "description": "AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller." - }, - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterRole" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." - }, - "rules": { - "description": "Rules holds all the PolicyRules for this ClusterRole", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + }, + "parameters": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." } }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRole", - "version": "v1" - } - ] + "required": [ + "driver", + "parameters" + ], + "type": "object" }, - "io.k8s.api.rbac.v1.ClusterRoleBinding": { - "description": "ClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.", + "io.k8s.api.resource.v1alpha3.ResourceClaim": { + "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15228,87 +15197,72 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ClusterRoleBinding" + "ResourceClaim" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." + "description": "Standard object metadata" }, - "roleRef": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", - "description": "RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "description": "Spec describes what is being requested and how to configure it. The spec is immutable." }, - "subjects": { - "description": "Subjects holds references to the objects the role applies to.", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "status": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimStatus", + "description": "Status describes whether the claim is ready to use and what has been allocated." } }, "required": [ - "roleRef" + "spec" ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRoleBinding", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceClaim", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.ClusterRoleBindingList": { - "description": "ClusterRoleBindingList is a collection of ClusterRoleBindings", + "io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference": { + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", "type": "string" }, - "items": { - "description": "Items is a list of ClusterRoleBindings", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding" - }, - "type": "array" + "name": { + "description": "Name is the name of resource being referenced.", + "type": "string" }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "ClusterRoleBindingList" - ] + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": "string" }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": "string" } }, "required": [ - "items" + "resource", + "name", + "uid" ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRoleBindingList", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.rbac.v1.ClusterRoleList": { - "description": "ClusterRoleList is a collection of ClusterRoles", + "io.k8s.api.resource.v1alpha3.ResourceClaimList": { + "description": "ResourceClaimList is a collection of claims.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "Items is a list of ClusterRoles", + "description": "Items is the list of resource claims.", "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.ClusterRole" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaim" }, "type": "array" }, @@ -15316,12 +15270,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "ClusterRoleList" + "ResourceClaimList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "description": "Standard list metadata" } }, "required": [ @@ -15330,63 +15284,47 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "ClusterRoleList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceClaimList", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.PolicyRule": { - "description": "PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.", + "io.k8s.api.resource.v1alpha3.ResourceClaimSpec": { + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", "properties": { - "apiGroups": { - "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "nonResourceURLs": { - "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resourceNames": { - "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" - }, - "resources": { - "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", - "items": { - "type": "string" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "devices": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaim", + "description": "Devices defines how to request devices." + } + }, + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.ResourceClaimStatus": { + "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", + "properties": { + "allocation": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.AllocationResult", + "description": "Allocation is set once the claim has been allocated successfully." }, - "verbs": { - "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", + "reservedFor": { + "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", "items": { - "type": "string" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference" }, "type": "array", - "x-kubernetes-list-type": "atomic" + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" } }, - "required": [ - "verbs" - ], "type": "object" }, - "io.k8s.api.rbac.v1.Role": { - "description": "Role is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.", + "io.k8s.api.resource.v1alpha3.ResourceClaimTemplate": { + "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -15396,123 +15334,156 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "Role" + "ResourceClaimTemplate" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." + "description": "Standard object metadata" }, - "rules": { - "description": "Rules holds all the PolicyRules for this Role", + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec", + "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore." + } + }, + "required": [ + "spec" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplate", + "version": "v1alpha3" + } + ] + }, + "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateList": { + "description": "ResourceClaimTemplateList is a collection of claim templates.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "items": { + "description": "Items is the list of resource claim templates.", "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.PolicyRule" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplate" }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "type": "array" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string", + "enum": [ + "ResourceClaimTemplateList" + ] + }, + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard list metadata" } }, + "required": [ + "items" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "Role", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplateList", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.RoleBinding": { - "description": "RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.", + "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec": { + "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", + "properties": { + "metadata": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation." + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here." + } + }, + "required": [ + "spec" + ], + "type": "object" + }, + "io.k8s.api.resource.v1alpha3.ResourcePool": { + "description": "ResourcePool describes the pool that ResourceSlices belong to.", "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": "string" - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string", - "enum": [ - "RoleBinding" - ] - }, - "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata." + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": "integer" }, - "roleRef": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleRef", - "description": "RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. This field is immutable." + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": "string" }, - "subjects": { - "description": "Subjects holds references to the objects the role applies to.", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.Subject" - }, - "type": "array", - "x-kubernetes-list-type": "atomic" + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": "integer" } }, "required": [ - "roleRef" + "name", + "generation", + "resourceSliceCount" ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "rbac.authorization.k8s.io", - "kind": "RoleBinding", - "version": "v1" - } - ] + "type": "object" }, - "io.k8s.api.rbac.v1.RoleBindingList": { - "description": "RoleBindingList is a collection of RoleBindings", + "io.k8s.api.resource.v1alpha3.ResourceSlice": { + "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, - "items": { - "description": "Items is a list of RoleBindings", - "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.RoleBinding" - }, - "type": "array" - }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "RoleBindingList" + "ResourceSlice" ] }, "metadata": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object metadata" + }, + "spec": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec", + "description": "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number." } }, "required": [ - "items" + "spec" ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "RoleBindingList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceSlice", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.RoleList": { - "description": "RoleList is a collection of Roles", + "io.k8s.api.resource.v1alpha3.ResourceSliceList": { + "description": "ResourceSliceList is a collection of ResourceSlices.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "items": { - "description": "Items is a list of Roles", + "description": "Items is the list of resource ResourceSlices.", "items": { - "$ref": "#/definitions/io.k8s.api.rbac.v1.Role" + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSlice" }, "type": "array" }, @@ -15520,12 +15491,12 @@ "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string", "enum": [ - "RoleList" + "ResourceSliceList" ] }, "metadata": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "Standard object's metadata." + "description": "Standard list metadata" } }, "required": [ @@ -15534,68 +15505,55 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "rbac.authorization.k8s.io", - "kind": "RoleList", - "version": "v1" + "group": "resource.k8s.io", + "kind": "ResourceSliceList", + "version": "v1alpha3" } ] }, - "io.k8s.api.rbac.v1.RoleRef": { - "description": "RoleRef contains information that points to the role being used", + "io.k8s.api.resource.v1alpha3.ResourceSliceSpec": { + "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", "properties": { - "apiGroup": { - "description": "APIGroup is the group for the resource being referenced", - "type": "string" + "allNodes": { + "description": "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set.", + "type": "boolean" }, - "kind": { - "description": "Kind is the type of resource being referenced", - "type": "string" + "devices": { + "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", + "items": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.Device" + }, + "type": "array", + "x-kubernetes-list-type": "atomic" }, - "name": { - "description": "Name is the name of resource being referenced", - "type": "string" - } - }, - "required": [ - "apiGroup", - "kind", - "name" - ], - "type": "object", - "x-kubernetes-map-type": "atomic" - }, - "io.k8s.api.rbac.v1.Subject": { - "description": "Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.", - "properties": { - "apiGroup": { - "description": "APIGroup holds the API group of the referenced subject. Defaults to \"\" for ServiceAccount subjects. Defaults to \"rbac.authorization.k8s.io\" for User and Group subjects.", + "driver": { + "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.", "type": "string" }, - "kind": { - "description": "Kind of object being referenced. Values defined by this API group are \"User\", \"Group\", and \"ServiceAccount\". If the Authorizer does not recognized the kind value, the Authorizer should report an error.", + "nodeName": { + "description": "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set. This field is immutable.", "type": "string" }, - "name": { - "description": "Name of the object being referenced.", - "type": "string" + "nodeSelector": { + "$ref": "#/definitions/io.k8s.api.core.v1.NodeSelector", + "description": "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set." }, - "namespace": { - "description": "Namespace of the referenced object. If the object kind is non-namespace, such as \"User\" or \"Group\", and this value is not empty the Authorizer should report an error.", - "type": "string" + "pool": { + "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourcePool", + "description": "Pool describes the pool that this ResourceSlice belongs to." } }, "required": [ - "kind", - "name" + "driver", + "pool" ], - "type": "object", - "x-kubernetes-map-type": "atomic" + "type": "object" }, - "io.k8s.api.resource.v1alpha3.AllocationResult": { + "io.k8s.api.resource.v1beta1.AllocationResult": { "description": "AllocationResult contains attributes of an allocated resource.", "properties": { "devices": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationResult", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult", "description": "Devices is the result of allocating devices." }, "nodeSelector": { @@ -15605,19 +15563,19 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.BasicDevice": { + "io.k8s.api.resource.v1beta1.BasicDevice": { "description": "BasicDevice defines one device instance.", "properties": { "attributes": { "additionalProperties": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAttribute" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute" }, "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": "object" }, "capacity": { "additionalProperties": { - "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity" }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": "object" @@ -15625,7 +15583,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.CELDeviceSelector": { + "io.k8s.api.resource.v1beta1.CELDeviceSelector": { "description": "CELDeviceSelector contains a CEL expression for selecting a device.", "properties": { "expression": { @@ -15638,11 +15596,11 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.Device": { + "io.k8s.api.resource.v1beta1.Device": { "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", "properties": { "basic": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.BasicDevice", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.BasicDevice", "description": "Basic defines one device instance." }, "name": { @@ -15655,11 +15613,11 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration": { + "io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration": { "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", "properties": { "opaque": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." }, "requests": { @@ -15680,13 +15638,13 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceAllocationResult": { + "io.k8s.api.resource.v1beta1.DeviceAllocationResult": { "description": "DeviceAllocationResult is the result of allocating devices.", "properties": { "config": { "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15694,7 +15652,7 @@ "results": { "description": "Results lists all allocated devices.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15702,7 +15660,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceAttribute": { + "io.k8s.api.resource.v1beta1.DeviceAttribute": { "description": "DeviceAttribute must have exactly one field set.", "properties": { "bool": { @@ -15725,13 +15683,26 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceClaim": { + "io.k8s.api.resource.v1beta1.DeviceCapacity": { + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "$ref": "#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity", + "description": "Value defines how much of a certain device capacity is available." + } + }, + "required": [ + "value" + ], + "type": "object" + }, + "io.k8s.api.resource.v1beta1.DeviceClaim": { "description": "DeviceClaim defines how to request devices with a ResourceClaim.", "properties": { "config": { "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15739,7 +15710,7 @@ "constraints": { "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceConstraint" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15747,7 +15718,7 @@ "requests": { "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequest" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15755,11 +15726,11 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration": { + "io.k8s.api.resource.v1beta1.DeviceClaimConfiguration": { "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", "properties": { "opaque": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." }, "requests": { @@ -15773,7 +15744,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceClass": { + "io.k8s.api.resource.v1beta1.DeviceClass": { "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -15792,7 +15763,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec", "description": "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number." } }, @@ -15804,21 +15775,21 @@ { "group": "resource.k8s.io", "kind": "DeviceClass", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.DeviceClassConfiguration": { + "io.k8s.api.resource.v1beta1.DeviceClassConfiguration": { "description": "DeviceClassConfiguration is used in DeviceClass.", "properties": { "opaque": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." } }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceClassList": { + "io.k8s.api.resource.v1beta1.DeviceClassList": { "description": "DeviceClassList is a collection of classes.", "properties": { "apiVersion": { @@ -15828,7 +15799,7 @@ "items": { "description": "Items is the list of resource classes.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClass" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClass" }, "type": "array" }, @@ -15852,17 +15823,17 @@ { "group": "resource.k8s.io", "kind": "DeviceClassList", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.DeviceClassSpec": { + "io.k8s.api.resource.v1beta1.DeviceClassSpec": { "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", "properties": { "config": { "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassConfiguration" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15870,7 +15841,7 @@ "selectors": { "description": "Each selector must be satisfied by a device which is claimed via this class.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15878,7 +15849,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceConstraint": { + "io.k8s.api.resource.v1beta1.DeviceConstraint": { "description": "DeviceConstraint must have exactly one field set besides Requests.", "properties": { "matchAttribute": { @@ -15896,7 +15867,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceRequest": { + "io.k8s.api.resource.v1beta1.DeviceRequest": { "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", "properties": { "adminAccess": { @@ -15923,7 +15894,7 @@ "selectors": { "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -15935,7 +15906,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult": { + "io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult": { "description": "DeviceRequestAllocationResult contains the allocation result for one request.", "properties": { "adminAccess": { @@ -15967,17 +15938,17 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.DeviceSelector": { + "io.k8s.api.resource.v1beta1.DeviceSelector": { "description": "DeviceSelector must have exactly one field set.", "properties": { "cel": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.CELDeviceSelector", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector", "description": "CEL contains a CEL expression for selecting a device." } }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration": { + "io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration": { "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", "properties": { "driver": { @@ -15986,7 +15957,7 @@ }, "parameters": { "$ref": "#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", - "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions." + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." } }, "required": [ @@ -15995,7 +15966,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceClaim": { + "io.k8s.api.resource.v1beta1.ResourceClaim": { "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16014,11 +15985,11 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", "description": "Spec describes what is being requested and how to configure it. The spec is immutable." }, "status": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimStatus", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus", "description": "Status describes whether the claim is ready to use and what has been allocated." } }, @@ -16030,11 +16001,11 @@ { "group": "resource.k8s.io", "kind": "ResourceClaim", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference": { + "io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference": { "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", "properties": { "apiGroup": { @@ -16061,7 +16032,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceClaimList": { + "io.k8s.api.resource.v1beta1.ResourceClaimList": { "description": "ResourceClaimList is a collection of claims.", "properties": { "apiVersion": { @@ -16071,7 +16042,7 @@ "items": { "description": "Items is the list of resource claims.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaim" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim" }, "type": "array" }, @@ -16095,31 +16066,31 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimList", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceClaimSpec": { + "io.k8s.api.resource.v1beta1.ResourceClaimSpec": { "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", "properties": { "devices": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaim", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim", "description": "Devices defines how to request devices." } }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceClaimStatus": { + "io.k8s.api.resource.v1beta1.ResourceClaimStatus": { "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", "properties": { "allocation": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.AllocationResult", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.AllocationResult", "description": "Allocation is set once the claim has been allocated successfully." }, "reservedFor": { "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference" }, "type": "array", "x-kubernetes-list-map-keys": [ @@ -16132,7 +16103,7 @@ }, "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceClaimTemplate": { + "io.k8s.api.resource.v1beta1.ResourceClaimTemplate": { "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16151,7 +16122,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec", "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore." } }, @@ -16163,11 +16134,11 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplate", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateList": { + "io.k8s.api.resource.v1beta1.ResourceClaimTemplateList": { "description": "ResourceClaimTemplateList is a collection of claim templates.", "properties": { "apiVersion": { @@ -16177,7 +16148,7 @@ "items": { "description": "Items is the list of resource claim templates.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplate" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate" }, "type": "array" }, @@ -16201,11 +16172,11 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplateList", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec": { + "io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec": { "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", "properties": { "metadata": { @@ -16213,7 +16184,7 @@ "description": "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation." }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here." } }, @@ -16222,7 +16193,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourcePool": { + "io.k8s.api.resource.v1beta1.ResourcePool": { "description": "ResourcePool describes the pool that ResourceSlices belong to.", "properties": { "generation": { @@ -16247,7 +16218,7 @@ ], "type": "object" }, - "io.k8s.api.resource.v1alpha3.ResourceSlice": { + "io.k8s.api.resource.v1beta1.ResourceSlice": { "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { @@ -16266,7 +16237,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec", "description": "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number." } }, @@ -16278,11 +16249,11 @@ { "group": "resource.k8s.io", "kind": "ResourceSlice", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceSliceList": { + "io.k8s.api.resource.v1beta1.ResourceSliceList": { "description": "ResourceSliceList is a collection of ResourceSlices.", "properties": { "apiVersion": { @@ -16292,7 +16263,7 @@ "items": { "description": "Items is the list of resource ResourceSlices.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourceSlice" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice" }, "type": "array" }, @@ -16316,11 +16287,11 @@ { "group": "resource.k8s.io", "kind": "ResourceSliceList", - "version": "v1alpha3" + "version": "v1beta1" } ] }, - "io.k8s.api.resource.v1alpha3.ResourceSliceSpec": { + "io.k8s.api.resource.v1beta1.ResourceSliceSpec": { "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", "properties": { "allNodes": { @@ -16330,7 +16301,7 @@ "devices": { "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", "items": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.Device" + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.Device" }, "type": "array", "x-kubernetes-list-type": "atomic" @@ -16348,7 +16319,7 @@ "description": "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set." }, "pool": { - "$ref": "#/definitions/io.k8s.api.resource.v1alpha3.ResourcePool", + "$ref": "#/definitions/io.k8s.api.resource.v1beta1.ResourcePool", "description": "Pool describes the pool that this ResourceSlice belongs to." } }, @@ -18698,6 +18669,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", @@ -19448,6 +19424,11 @@ "kind": "WatchEvent", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "WatchEvent", diff --git a/master/all.json b/master/all.json index ac4f7b6bbebd715dfef432c704b2c081fdd791c4..b6b12309b738bf00317d481d05003897234246d3 100644 --- a/master/all.json +++ b/master/all.json @@ -79,10 +79,10 @@ "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1.WebhookClientConfig" }, { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration" }, { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.JSONPatch" }, { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" @@ -91,40 +91,34 @@ "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources" }, { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy" }, { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.TypeChecking" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding" }, { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingList" }, { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec" }, { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingList" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyList" }, { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec" }, { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyList" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Mutation" }, { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations" }, { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind" }, { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Validation" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef" }, { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" @@ -318,12 +312,6 @@ { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.authentication.v1.UserInfo" }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReview" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus" - }, { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.authentication.v1beta1.SelfSubjectReview" }, @@ -537,15 +525,6 @@ { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestStatus" }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleList" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec" - }, { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.coordination.v1.Lease" }, @@ -1296,75 +1275,6 @@ { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.UserSubject" }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaList" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.GroupSubject" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationList" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject" - }, - { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.UserSubject" - }, { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.networking.v1.HTTPIngressPath" }, @@ -1620,6 +1530,99 @@ { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec" }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.AllocationResult" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.BasicDevice" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.Device" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClass" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassList" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimList" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateList" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourcePool" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceList" + }, + { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec" + }, { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.scheduling.v1.PriorityClass" }, diff --git a/master/allocationresult-resource-v1beta1.json b/master/allocationresult-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..4625432305440daa691455bd7a1f6e35e2752e68 --- /dev/null +++ b/master/allocationresult-resource-v1beta1.json @@ -0,0 +1,15 @@ +{ + "description": "AllocationResult contains attributes of an allocated resource.", + "properties": { + "devices": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult", + "description": "Devices is the result of allocating devices." + }, + "nodeSelector": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.NodeSelector", + "description": "NodeSelector defines where the allocated resources are available. If unset, they are available everywhere." + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/allocationresult.json b/master/allocationresult.json index 22e297c4445a9e7823f3e429b98a2dccc2993359..4625432305440daa691455bd7a1f6e35e2752e68 100644 --- a/master/allocationresult.json +++ b/master/allocationresult.json @@ -2,7 +2,7 @@ "description": "AllocationResult contains attributes of an allocated resource.", "properties": { "devices": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationResult", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult", "description": "Devices is the result of allocating devices." }, "nodeSelector": { diff --git a/master/applyconfiguration-admissionregistration-v1alpha1.json b/master/applyconfiguration-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..e0c6042828baab111248e45cb145a26ecd361b55 --- /dev/null +++ b/master/applyconfiguration-admissionregistration-v1alpha1.json @@ -0,0 +1,14 @@ +{ + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/applyconfiguration.json b/master/applyconfiguration.json new file mode 100644 index 0000000000000000000000000000000000000000..e0c6042828baab111248e45cb145a26ecd361b55 --- /dev/null +++ b/master/applyconfiguration.json @@ -0,0 +1,14 @@ +{ + "description": "ApplyConfiguration defines the desired configuration values of an object.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create an apply configuration. ref: https://github.com/google/cel-spec\n\nApply configurations are declared in CEL using object initialization. For example, this CEL expression returns an apply configuration to set a single field:\n\n\tObject{\n\t spec: Object.spec{\n\t serviceAccountName: \"example\"\n\t }\n\t}\n\nApply configurations may not modify atomic structs, maps or arrays due to the risk of accidental deletion of values not included in the apply configuration.\n\nCEL expressions have access to the object types needed to create apply configurations:\n\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/auditannotation-admissionregistration-v1alpha1.json b/master/auditannotation-admissionregistration-v1alpha1.json deleted file mode 100644 index a6d3ffb05ea62d6d3dc68565b78d718f67fb77ac..0000000000000000000000000000000000000000 --- a/master/auditannotation-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", - "properties": { - "key": { - "description": "key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.", - "type": [ - "string", - "null" - ] - }, - "valueExpression": { - "description": "valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "key", - "valueExpression" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/basicdevice-resource-v1beta1.json b/master/basicdevice-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..b665da771432632d696faa9b66525d49ea5ae14b --- /dev/null +++ b/master/basicdevice-resource-v1beta1.json @@ -0,0 +1,27 @@ +{ + "description": "BasicDevice defines one device instance.", + "properties": { + "attributes": { + "additionalProperties": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute" + }, + "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + }, + "capacity": { + "additionalProperties": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity" + }, + "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", + "type": [ + "object", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/basicdevice.json b/master/basicdevice.json index c041cd392c1fd8d07415a445ea8f33269331176f..b665da771432632d696faa9b66525d49ea5ae14b 100644 --- a/master/basicdevice.json +++ b/master/basicdevice.json @@ -3,7 +3,7 @@ "properties": { "attributes": { "additionalProperties": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceAttribute" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAttribute" }, "description": "Attributes defines the set of attributes for this device. The name of each attribute must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": [ @@ -13,7 +13,7 @@ }, "capacity": { "additionalProperties": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceCapacity" }, "description": "Capacity defines the set of capacities for this device. The name of each capacity must be unique in that set.\n\nThe maximum number of attributes and capacities combined is 32.", "type": [ diff --git a/master/celdeviceselector-resource-v1beta1.json b/master/celdeviceselector-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..b63da15344f67f3be1538b3844af870028bb3d2b --- /dev/null +++ b/master/celdeviceselector-resource-v1beta1.json @@ -0,0 +1,17 @@ +{ + "description": "CELDeviceSelector contains a CEL expression for selecting a device.", + "properties": { + "expression": { + "description": "Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "expression" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/clustertrustbundle-certificates-v1alpha1.json b/master/clustertrustbundle-certificates-v1alpha1.json deleted file mode 100644 index 5a6360ee09f7afb58323e9f2d9f45d24acb20f2f..0000000000000000000000000000000000000000 --- a/master/clustertrustbundle-certificates-v1alpha1.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "certificates.k8s.io/v1alpha1" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "ClusterTrustBundle" - ] - }, - "metadata": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "metadata contains the object metadata." - }, - "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec", - "description": "spec contains the signer (if any) and trust anchors." - } - }, - "required": [ - "spec" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/clustertrustbundlespec-certificates-v1alpha1.json b/master/clustertrustbundlespec-certificates-v1alpha1.json deleted file mode 100644 index 22831e1f32c81ea493f1c9fed529a7fa18df2050..0000000000000000000000000000000000000000 --- a/master/clustertrustbundlespec-certificates-v1alpha1.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "trustBundle" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/clustertrustbundlespec.json b/master/clustertrustbundlespec.json deleted file mode 100644 index 22831e1f32c81ea493f1c9fed529a7fa18df2050..0000000000000000000000000000000000000000 --- a/master/clustertrustbundlespec.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "description": "ClusterTrustBundleSpec contains the signer and trust anchors.", - "properties": { - "signerName": { - "description": "signerName indicates the associated signer, if any.\n\nIn order to create or update a ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: group=certificates.k8s.io resource=signers resourceName=<the signer name> verb=attest.\n\nIf signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`.\n\nIf signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix.\n\nList/watch requests for ClusterTrustBundles can filter on this field using a `spec.signerName=NAME` field selector.", - "type": [ - "string", - "null" - ] - }, - "trustBundle": { - "description": "trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.\n\nThe data must consist only of PEM certificate blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints extension with the CA bit set. The API server will reject objects that contain duplicate certificates, or that use PEM block headers.\n\nUsers of ClusterTrustBundles, including Kubelet, are free to reorder and deduplicate certificate blocks in this file according to their own logic, as well as to drop PEM block headers and inter-block data.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "trustBundle" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/csipersistentvolumesource-v1.json b/master/csipersistentvolumesource-v1.json index 158971952231841a1175f1fc6f4f1416af541324..c5fc72a52808ee88e754e202f72366766adb2d81 100644 --- a/master/csipersistentvolumesource-v1.json +++ b/master/csipersistentvolumesource-v1.json @@ -1,5 +1,5 @@ { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.SecretReference", diff --git a/master/csipersistentvolumesource.json b/master/csipersistentvolumesource.json index 158971952231841a1175f1fc6f4f1416af541324..c5fc72a52808ee88e754e202f72366766adb2d81 100644 --- a/master/csipersistentvolumesource.json +++ b/master/csipersistentvolumesource.json @@ -1,5 +1,5 @@ { - "description": "Represents storage that is managed by an external CSI volume driver (Beta feature)", + "description": "Represents storage that is managed by an external CSI volume driver", "properties": { "controllerExpandSecretRef": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.SecretReference", diff --git a/master/deleteoptions-meta-v1.json b/master/deleteoptions-meta-v1.json index a32d85ebc200da1a88ec749fc0bdc7be0f69044e..6db2b7de04fada1efd229b3c2de1b4989bf56e33 100644 --- a/master/deleteoptions-meta-v1.json +++ b/master/deleteoptions-meta-v1.json @@ -61,6 +61,7 @@ "rbac.authorization.k8s.io/v1alpha1", "rbac.authorization.k8s.io/v1beta1", "resource.k8s.io/v1alpha3", + "resource.k8s.io/v1beta1", "scheduling.k8s.io/v1", "scheduling.k8s.io/v1alpha1", "scheduling.k8s.io/v1beta1", @@ -388,6 +389,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", diff --git a/master/deleteoptions.json b/master/deleteoptions.json index 38b684242d3535acfce27c6b98f102f9f979cc5e..c112001995adba07db25ccf82ccd14b2e10487e3 100644 --- a/master/deleteoptions.json +++ b/master/deleteoptions.json @@ -326,6 +326,11 @@ "kind": "DeleteOptions", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "DeleteOptions", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "DeleteOptions", diff --git a/master/device-resource-v1beta1.json b/master/device-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..a78dbbe26502570b6199ca53aa12cb9df3c2e3b9 --- /dev/null +++ b/master/device-resource-v1beta1.json @@ -0,0 +1,21 @@ +{ + "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", + "properties": { + "basic": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.BasicDevice", + "description": "Basic defines one device instance." + }, + "name": { + "description": "Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "name" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/device.json b/master/device.json index 643d190f31cfb3655da0bd657d61130b62646776..a78dbbe26502570b6199ca53aa12cb9df3c2e3b9 100644 --- a/master/device.json +++ b/master/device.json @@ -2,7 +2,7 @@ "description": "Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.", "properties": { "basic": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.BasicDevice", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.BasicDevice", "description": "Basic defines one device instance." }, "name": { diff --git a/master/deviceallocationconfiguration-resource-v1beta1.json b/master/deviceallocationconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..e14a866580ccb4f110a416bd5c8acb4457012211 --- /dev/null +++ b/master/deviceallocationconfiguration-resource-v1beta1.json @@ -0,0 +1,35 @@ +{ + "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", + "properties": { + "opaque": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "source": { + "description": "Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "source" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/deviceallocationconfiguration.json b/master/deviceallocationconfiguration.json index 01840a43e07e17e037e143a6052ec785b5313f44..e14a866580ccb4f110a416bd5c8acb4457012211 100644 --- a/master/deviceallocationconfiguration.json +++ b/master/deviceallocationconfiguration.json @@ -2,7 +2,7 @@ "description": "DeviceAllocationConfiguration gets embedded in an AllocationResult.", "properties": { "opaque": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." }, "requests": { diff --git a/master/deviceallocationresult-resource-v1beta1.json b/master/deviceallocationresult-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..00efc3eb67316e36eaf59a25ff6079ef0f17facd --- /dev/null +++ b/master/deviceallocationresult-resource-v1beta1.json @@ -0,0 +1,29 @@ +{ + "description": "DeviceAllocationResult is the result of allocating devices.", + "properties": { + "config": { + "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "results": { + "description": "Results lists all allocated devices.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/deviceallocationresult.json b/master/deviceallocationresult.json index 646c5400ad986e1ad0e84a0ef624070f4c3e6be2..00efc3eb67316e36eaf59a25ff6079ef0f17facd 100644 --- a/master/deviceallocationresult.json +++ b/master/deviceallocationresult.json @@ -4,7 +4,7 @@ "config": { "description": "This field is a combination of all the claim and class configuration parameters. Drivers can distinguish between those based on a flag.\n\nThis includes configuration parameters for drivers which have no allocated devices in the result because it is up to the drivers which configuration parameters they support. They can silently ignore unknown configuration parameters.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceAllocationConfiguration" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration" }, "type": [ "array", @@ -15,7 +15,7 @@ "results": { "description": "Results lists all allocated devices.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequestAllocationResult" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequestAllocationResult" }, "type": [ "array", diff --git a/master/deviceattribute-resource-v1beta1.json b/master/deviceattribute-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..4ad000a165e9001a20e6cac6594729d56207f765 --- /dev/null +++ b/master/deviceattribute-resource-v1beta1.json @@ -0,0 +1,36 @@ +{ + "description": "DeviceAttribute must have exactly one field set.", + "properties": { + "bool": { + "description": "BoolValue is a true/false value.", + "type": [ + "boolean", + "null" + ] + }, + "int": { + "description": "IntValue is a number.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "string": { + "description": "StringValue is a string. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + }, + "version": { + "description": "VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/devicecapacity-resource-v1beta1.json b/master/devicecapacity-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..c66b27da49934484fbf7af8fb06ea71f1eb355ed --- /dev/null +++ b/master/devicecapacity-resource-v1beta1.json @@ -0,0 +1,14 @@ +{ + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity", + "description": "Value defines how much of a certain device capacity is available." + } + }, + "required": [ + "value" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/devicecapacity.json b/master/devicecapacity.json new file mode 100644 index 0000000000000000000000000000000000000000..c66b27da49934484fbf7af8fb06ea71f1eb355ed --- /dev/null +++ b/master/devicecapacity.json @@ -0,0 +1,14 @@ +{ + "description": "DeviceCapacity describes a quantity associated with a device.", + "properties": { + "value": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity", + "description": "Value defines how much of a certain device capacity is available." + } + }, + "required": [ + "value" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/deviceclaim-resource-v1beta1.json b/master/deviceclaim-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..5fd070eb4513bc21e002fa191da9654f885c6b11 --- /dev/null +++ b/master/deviceclaim-resource-v1beta1.json @@ -0,0 +1,40 @@ +{ + "description": "DeviceClaim defines how to request devices with a ResourceClaim.", + "properties": { + "config": { + "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "constraints": { + "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "requests": { + "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/deviceclaim.json b/master/deviceclaim.json index 501f9ff99234a100f3530f115b61a103827e7591..5fd070eb4513bc21e002fa191da9654f885c6b11 100644 --- a/master/deviceclaim.json +++ b/master/deviceclaim.json @@ -4,7 +4,7 @@ "config": { "description": "This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaimConfiguration" }, "type": [ "array", @@ -15,7 +15,7 @@ "constraints": { "description": "These constraints must be satisfied by the set of devices that get allocated for the claim.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceConstraint" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceConstraint" }, "type": [ "array", @@ -26,7 +26,7 @@ "requests": { "description": "Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequest" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceRequest" }, "type": [ "array", diff --git a/master/deviceclaimconfiguration-resource-v1beta1.json b/master/deviceclaimconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..8fd10238f40754e517d09740c96b0d607c21192d --- /dev/null +++ b/master/deviceclaimconfiguration-resource-v1beta1.json @@ -0,0 +1,25 @@ +{ + "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", + "properties": { + "opaque": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." + }, + "requests": { + "description": "Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/deviceclaimconfiguration.json b/master/deviceclaimconfiguration.json index b61f68724bc135a61d0ba4cb23f317386ccb2220..8fd10238f40754e517d09740c96b0d607c21192d 100644 --- a/master/deviceclaimconfiguration.json +++ b/master/deviceclaimconfiguration.json @@ -2,7 +2,7 @@ "description": "DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.", "properties": { "opaque": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." }, "requests": { diff --git a/master/clustertrustbundle.json b/master/deviceclass-resource-v1beta1.json similarity index 52% rename from master/clustertrustbundle.json rename to master/deviceclass-resource-v1beta1.json index 430b680d8545e5c5c62f902606e3a8ddf5b0ee6d..e8eb4af0992c47071465862b8339eb22c47a1fae 100644 --- a/master/clustertrustbundle.json +++ b/master/deviceclass-resource-v1beta1.json @@ -1,11 +1,14 @@ { - "description": "ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.", + "description": "DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" ] }, "kind": { @@ -15,16 +18,16 @@ "null" ], "enum": [ - "ClusterTrustBundle" + "DeviceClass" ] }, "metadata": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "metadata contains the object metadata." + "description": "Standard object metadata" }, "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec", - "description": "spec contains the signer (if any) and trust anchors." + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec", + "description": "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number." } }, "required": [ @@ -33,9 +36,9 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundle", - "version": "v1alpha1" + "group": "resource.k8s.io", + "kind": "DeviceClass", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/deviceclass.json b/master/deviceclass.json index 7caa1f5a7e8e762a38a78d31af0367d2bb509944..d1880293567316bc6613978c11dc0175fb82334b 100644 --- a/master/deviceclass.json +++ b/master/deviceclass.json @@ -23,7 +23,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassSpec", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec", "description": "Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number." } }, @@ -35,7 +35,7 @@ { "group": "resource.k8s.io", "kind": "DeviceClass", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/selfsubjectreviewstatus-authentication-v1alpha1.json b/master/deviceclassconfiguration-resource-v1beta1.json similarity index 50% rename from master/selfsubjectreviewstatus-authentication-v1alpha1.json rename to master/deviceclassconfiguration-resource-v1beta1.json index 813a7922ffa3630cee172e3584d193a78d2f44cb..6de6a33907810626a2df1b1285ffe9cd1c3b07ac 100644 --- a/master/selfsubjectreviewstatus-authentication-v1alpha1.json +++ b/master/deviceclassconfiguration-resource-v1beta1.json @@ -1,9 +1,9 @@ { - "description": "SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.", + "description": "DeviceClassConfiguration is used in DeviceClass.", "properties": { - "userInfo": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.authentication.v1.UserInfo", - "description": "User attributes of the user making this request." + "opaque": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", + "description": "Opaque provides driver-specific configuration parameters." } }, "type": "object", diff --git a/master/deviceclassconfiguration.json b/master/deviceclassconfiguration.json index 9ef6ffd2649c99c35d61d4dc792355f625557ae5..6de6a33907810626a2df1b1285ffe9cd1c3b07ac 100644 --- a/master/deviceclassconfiguration.json +++ b/master/deviceclassconfiguration.json @@ -2,7 +2,7 @@ "description": "DeviceClassConfiguration is used in DeviceClass.", "properties": { "opaque": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration", "description": "Opaque provides driver-specific configuration parameters." } }, diff --git a/master/clustertrustbundlelist.json b/master/deviceclasslist-resource-v1beta1.json similarity index 77% rename from master/clustertrustbundlelist.json rename to master/deviceclasslist-resource-v1beta1.json index 0d893c2c8ff9f2b951e764682ccb91e4f26eb921..49816c461eae142e161722a3c1ded2918fbf5173 100644 --- a/master/clustertrustbundlelist.json +++ b/master/deviceclasslist-resource-v1beta1.json @@ -1,17 +1,20 @@ { - "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects", + "description": "DeviceClassList is a collection of classes.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" ] }, "items": { - "description": "items is a collection of ClusterTrustBundle objects", + "description": "Items is the list of resource classes.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClass" }, "type": [ "array", @@ -25,12 +28,12 @@ "null" ], "enum": [ - "ClusterTrustBundleList" + "DeviceClassList" ] }, "metadata": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "metadata contains the list metadata." + "description": "Standard list metadata" } }, "required": [ @@ -39,9 +42,9 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundleList", - "version": "v1alpha1" + "group": "resource.k8s.io", + "kind": "DeviceClassList", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/deviceclasslist.json b/master/deviceclasslist.json index c18e31437437025fcb88db36161d503ee0a3b372..59642e5250da0d5ac35833d258e46202c5e75684 100644 --- a/master/deviceclasslist.json +++ b/master/deviceclasslist.json @@ -11,7 +11,7 @@ "items": { "description": "Items is the list of resource classes.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceClass" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClass" }, "type": [ "array", @@ -41,7 +41,7 @@ { "group": "resource.k8s.io", "kind": "DeviceClassList", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/deviceclassspec-resource-v1beta1.json b/master/deviceclassspec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..242b31d89e5de9125f69ac32d7a949c03e1d0978 --- /dev/null +++ b/master/deviceclassspec-resource-v1beta1.json @@ -0,0 +1,29 @@ +{ + "description": "DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.", + "properties": { + "config": { + "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "selectors": { + "description": "Each selector must be satisfied by a device which is claimed via this class.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/deviceclassspec.json b/master/deviceclassspec.json index a2af2fbcd4740b2123d59750d66f03dff2c32ea4..242b31d89e5de9125f69ac32d7a949c03e1d0978 100644 --- a/master/deviceclassspec.json +++ b/master/deviceclassspec.json @@ -4,7 +4,7 @@ "config": { "description": "Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassConfiguration" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration" }, "type": [ "array", @@ -15,7 +15,7 @@ "selectors": { "description": "Each selector must be satisfied by a device which is claimed via this class.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" }, "type": [ "array", diff --git a/master/deviceconstraint-resource-v1beta1.json b/master/deviceconstraint-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..e3879d2e719c84058823b89f38910ee3b08c1216 --- /dev/null +++ b/master/deviceconstraint-resource-v1beta1.json @@ -0,0 +1,28 @@ +{ + "description": "DeviceConstraint must have exactly one field set besides Requests.", + "properties": { + "matchAttribute": { + "description": "MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.", + "type": [ + "string", + "null" + ] + }, + "requests": { + "description": "Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.", + "items": { + "type": [ + "string", + "null" + ] + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/devicerequest-resource-v1beta1.json b/master/devicerequest-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..dcaf3be4682779790de206042345309b4ba1aaae --- /dev/null +++ b/master/devicerequest-resource-v1beta1.json @@ -0,0 +1,58 @@ +{ + "description": "DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nA DeviceClassName is currently required. Clients must check that it is indeed set. It's absence indicates that something changed in a way that is not supported by the client yet, in which case it must refuse to handle the request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "allocationMode": { + "description": "AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AlloctionMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.", + "type": [ + "string", + "null" + ] + }, + "count": { + "description": "Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "deviceClassName": { + "description": "DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label.", + "type": [ + "string", + "null" + ] + }, + "selectors": { + "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "required": [ + "name", + "deviceClassName" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/devicerequest.json b/master/devicerequest.json index f72718d2fadd506330d61904eb7181d7bc4c2b24..dcaf3be4682779790de206042345309b4ba1aaae 100644 --- a/master/devicerequest.json +++ b/master/devicerequest.json @@ -40,7 +40,7 @@ "selectors": { "description": "Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector" }, "type": [ "array", diff --git a/master/devicerequestallocationresult-resource-v1beta1.json b/master/devicerequestallocationresult-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..ca4bcaefa2c9456976d8bf9ae0897e39c5c7b162 --- /dev/null +++ b/master/devicerequestallocationresult-resource-v1beta1.json @@ -0,0 +1,48 @@ +{ + "description": "DeviceRequestAllocationResult contains the allocation result for one request.", + "properties": { + "adminAccess": { + "description": "AdminAccess indicates that this device was allocated for administrative access. See the corresponding request field for a definition of mode.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.", + "type": [ + "boolean", + "null" + ] + }, + "device": { + "description": "Device references one device instance via its name in the driver's resource pool. It must be a DNS label.", + "type": [ + "string", + "null" + ] + }, + "driver": { + "description": "Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": [ + "string", + "null" + ] + }, + "pool": { + "description": "This name together with the driver name and the device name field identify which device was allocated (`<driver name>/<pool name>/<device name>`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.", + "type": [ + "string", + "null" + ] + }, + "request": { + "description": "Request is the name of the request in the claim which caused this device to be allocated. Multiple devices may have been allocated per request.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "request", + "driver", + "pool", + "device" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/deviceselector-resource-v1beta1.json b/master/deviceselector-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..eb87b55981108391da2d141fc49b8b4fb81e76ea --- /dev/null +++ b/master/deviceselector-resource-v1beta1.json @@ -0,0 +1,11 @@ +{ + "description": "DeviceSelector must have exactly one field set.", + "properties": { + "cel": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector", + "description": "CEL contains a CEL expression for selecting a device." + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/deviceselector.json b/master/deviceselector.json index 709f417af02b7692a9b35824714698a469a1e9ea..eb87b55981108391da2d141fc49b8b4fb81e76ea 100644 --- a/master/deviceselector.json +++ b/master/deviceselector.json @@ -2,7 +2,7 @@ "description": "DeviceSelector must have exactly one field set.", "properties": { "cel": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.CELDeviceSelector", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.CELDeviceSelector", "description": "CEL contains a CEL expression for selecting a device." } }, diff --git a/master/exemptprioritylevelconfiguration-flowcontrol-v1beta3.json b/master/exemptprioritylevelconfiguration-flowcontrol-v1beta3.json deleted file mode 100644 index 81bb3cf58b7ca02bfdc6c87be349a9b13447dae4..0000000000000000000000000000000000000000 --- a/master/exemptprioritylevelconfiguration-flowcontrol-v1beta3.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "description": "ExemptPriorityLevelConfiguration describes the configurable aspects of the handling of exempt requests. In the mandatory exempt configuration object the values in the fields here can be modified by authorized users, unlike the rest of the `spec`.", - "properties": { - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. This value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats nominally reserved for this priority level. This DOES NOT limit the dispatching from this priority level but affects the other priority levels through the borrowing mechanism. The server's concurrency limit (ServerCL) is divided among all the priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of zero.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/expressionwarning-admissionregistration-v1alpha1.json b/master/expressionwarning-admissionregistration-v1alpha1.json deleted file mode 100644 index 664f5a5f3e35b2f7ed032d25efed3aa49ef48f18..0000000000000000000000000000000000000000 --- a/master/expressionwarning-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "ExpressionWarning is a warning information that targets a specific expression.", - "properties": { - "fieldRef": { - "description": "The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"", - "type": [ - "string", - "null" - ] - }, - "warning": { - "description": "The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "fieldRef", - "warning" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/flowdistinguishermethod-flowcontrol-v1beta3.json b/master/flowdistinguishermethod-flowcontrol-v1beta3.json deleted file mode 100644 index dc443d094426da52a85528f20f79fd84ca9b683b..0000000000000000000000000000000000000000 --- a/master/flowdistinguishermethod-flowcontrol-v1beta3.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "FlowDistinguisherMethod specifies the method of a flow distinguisher.", - "properties": { - "type": { - "description": "`type` is the type of flow distinguisher method The supported types are \"ByUser\" and \"ByNamespace\". Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "type" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/flowschema-flowcontrol-v1beta3.json b/master/flowschema-flowcontrol-v1beta3.json deleted file mode 100644 index e85d9b3ac8fc27d0449569dd6db49cab762348ac..0000000000000000000000000000000000000000 --- a/master/flowschema-flowcontrol-v1beta3.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "description": "FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with similar attributes and is identified by a pair of strings: the name of the FlowSchema and a \"flow distinguisher\".", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "FlowSchema" - ] - }, - "metadata": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - }, - "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec", - "description": "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - }, - "status": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus", - "description": "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" - } - }, - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchema", - "version": "v1beta3" - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/flowschema.json b/master/flowschema.json index f8ea98a22bffd5807e950c6edebd261538b1ed14..075e48d862119bf6f96922358529ef903db8abfd 100644 --- a/master/flowschema.json +++ b/master/flowschema.json @@ -23,11 +23,11 @@ "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaSpec", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaSpec", "description": "`spec` is the specification of the desired behavior of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" }, "status": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaStatus", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaStatus", "description": "`status` is the current status of a FlowSchema. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, @@ -36,7 +36,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "FlowSchema", - "version": "v1beta3" + "version": "v1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/flowschemacondition-flowcontrol-v1beta3.json b/master/flowschemacondition-flowcontrol-v1beta3.json deleted file mode 100644 index c0eadafe54529d2cc485c9a245676e7a30862d4f..0000000000000000000000000000000000000000 --- a/master/flowschemacondition-flowcontrol-v1beta3.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "description": "FlowSchemaCondition describes conditions for a FlowSchema.", - "properties": { - "lastTransitionTime": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", - "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/flowschemalist.json b/master/flowschemalist.json index 339c68b0599aa8f3da63392a4a0883e5f2575a8a..62cb3ce31c5d9795093076917537f85021df6006 100644 --- a/master/flowschemalist.json +++ b/master/flowschemalist.json @@ -11,7 +11,7 @@ "items": { "description": "`items` is a list of FlowSchemas.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.FlowSchema" }, "type": [ "array", @@ -41,7 +41,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "FlowSchemaList", - "version": "v1beta3" + "version": "v1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/flowschemaspec-flowcontrol-v1beta3.json b/master/flowschemaspec-flowcontrol-v1beta3.json deleted file mode 100644 index b64b669844d7a3801168d1c9a97d4c66debcac01..0000000000000000000000000000000000000000 --- a/master/flowschemaspec-flowcontrol-v1beta3.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", - "properties": { - "distinguisherMethod": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod", - "description": "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string." - }, - "matchingPrecedence": { - "description": "`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "priorityLevelConfiguration": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference", - "description": "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required." - }, - "rules": { - "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "priorityLevelConfiguration" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/flowschemaspec.json b/master/flowschemaspec.json index b64b669844d7a3801168d1c9a97d4c66debcac01..a2091a0ed52e84a973e6f2b55e8d9c20139865b7 100644 --- a/master/flowschemaspec.json +++ b/master/flowschemaspec.json @@ -2,7 +2,7 @@ "description": "FlowSchemaSpec describes how the FlowSchema's specification looks like.", "properties": { "distinguisherMethod": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowDistinguisherMethod", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.FlowDistinguisherMethod", "description": "`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string." }, "matchingPrecedence": { @@ -14,13 +14,13 @@ ] }, "priorityLevelConfiguration": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationReference", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationReference", "description": "`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required." }, "rules": { "description": "`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PolicyRulesWithSubjects" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.PolicyRulesWithSubjects" }, "type": [ "array", diff --git a/master/flowschemastatus-flowcontrol-v1beta3.json b/master/flowschemastatus-flowcontrol-v1beta3.json deleted file mode 100644 index 1e08805ca03ca4ee3004f7ce2f330781fcabe5e7..0000000000000000000000000000000000000000 --- a/master/flowschemastatus-flowcontrol-v1beta3.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "description": "FlowSchemaStatus represents the current state of a FlowSchema.", - "properties": { - "conditions": { - "description": "`conditions` is a list of the current states of FlowSchema.", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/flowschemastatus.json b/master/flowschemastatus.json index 1e08805ca03ca4ee3004f7ce2f330781fcabe5e7..9d53e9bdecb8bb0bd3564d5c9290f4aa7b152472 100644 --- a/master/flowschemastatus.json +++ b/master/flowschemastatus.json @@ -4,7 +4,7 @@ "conditions": { "description": "`conditions` is a list of the current states of FlowSchema.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchemaCondition" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaCondition" }, "type": [ "array", diff --git a/master/groupsubject-flowcontrol-v1beta3.json b/master/groupsubject-flowcontrol-v1beta3.json deleted file mode 100644 index 421ca76742afe3dfcb7f5d27e52250cc2fbc7e5c..0000000000000000000000000000000000000000 --- a/master/groupsubject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "GroupSubject holds detailed information for group-kind subject.", - "properties": { - "name": { - "description": "name is the user group that matches, or \"*\" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "name" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/jsonpatch-admissionregistration-v1alpha1.json b/master/jsonpatch-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..dbb808eff66aba537fc80dd4d4348517aabc83e0 --- /dev/null +++ b/master/jsonpatch-admissionregistration-v1alpha1.json @@ -0,0 +1,14 @@ +{ + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/jsonpatch.json b/master/jsonpatch.json new file mode 100644 index 0000000000000000000000000000000000000000..dbb808eff66aba537fc80dd4d4348517aabc83e0 --- /dev/null +++ b/master/jsonpatch.json @@ -0,0 +1,14 @@ +{ + "description": "JSONPatch defines a JSON Patch.", + "properties": { + "expression": { + "description": "expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: https://github.com/google/cel-spec\n\nexpression must return an array of JSONPatch values.\n\nFor example, this CEL expression returns a JSON patch to conditionally modify a value:\n\n\t [\n\t JSONPatch{op: \"test\", path: \"/spec/example\", value: \"Red\"},\n\t JSONPatch{op: \"replace\", path: \"/spec/example\", value: \"Green\"}\n\t ]\n\nTo define an object for the patch value, use Object types. For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/spec/selector\",\n\t value: Object.spec.selector{matchLabels: {\"environment\": \"test\"}}\n\t }\n\t ]\n\nTo use strings containing '/' and '~' as JSONPatch path keys, use \"jsonpatch.escapeKey\". For example:\n\n\t [\n\t JSONPatch{\n\t op: \"add\",\n\t path: \"/metadata/labels/\" + jsonpatch.escapeKey(\"example.com/environment\"),\n\t value: \"test\"\n\t },\n\t ]\n\nCEL expressions have access to the types needed to create JSON patches and objects:\n\n- 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has the fields 'op', 'from', 'path' and 'value'.\n See [JSON patch](https://jsonpatch.com/) for more details. The 'value' field may be set to any of: string,\n integer, array, map or object. If set, the 'path' and 'from' fields must be set to a\n [JSON pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' CEL\n function may be used to escape path keys containing '/' and '~'.\n- 'Object' - CEL type of the resource object. - 'Object.<fieldName>' - CEL type of object field (such as 'Object.spec') - 'Object.<fieldName1>.<fieldName2>...<fieldNameN>` - CEL type of nested field (such as 'Object.spec.containers')\n\nCEL expressions have access to the contents of the API request, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nCEL expressions have access to [Kubernetes CEL function libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries) as well as:\n\n- 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' are escaped as '~0' and `~1' respectively).\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/limitedprioritylevelconfiguration-flowcontrol-v1beta3.json b/master/limitedprioritylevelconfiguration-flowcontrol-v1beta3.json deleted file mode 100644 index e9f3c1008d20a690cc829307edca6d7bf7f8053f..0000000000000000000000000000000000000000 --- a/master/limitedprioritylevelconfiguration-flowcontrol-v1beta3.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "description": "LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?", - "properties": { - "borrowingLimitPercent": { - "description": "`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "lendablePercent": { - "description": "`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "limitResponse": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse", - "description": "`limitResponse` indicates what to do with requests that can not be executed right now" - }, - "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/limitedprioritylevelconfiguration.json b/master/limitedprioritylevelconfiguration.json index e9f3c1008d20a690cc829307edca6d7bf7f8053f..1c2352e6afdbf5a309acc3f955e36947eb8415fa 100644 --- a/master/limitedprioritylevelconfiguration.json +++ b/master/limitedprioritylevelconfiguration.json @@ -18,11 +18,11 @@ ] }, "limitResponse": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitResponse", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.LimitResponse", "description": "`limitResponse` indicates what to do with requests that can not be executed right now" }, "nominalConcurrencyShares": { - "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level. This field has a default value of 30.", + "description": "`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)", "format": "int32", "type": [ "integer", diff --git a/master/limitresponse-flowcontrol-v1beta3.json b/master/limitresponse-flowcontrol-v1beta3.json deleted file mode 100644 index 394d55643572b83eab3350c62a60899ce8fb23d9..0000000000000000000000000000000000000000 --- a/master/limitresponse-flowcontrol-v1beta3.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "description": "LimitResponse defines how to handle requests that can not be executed right now.", - "properties": { - "queuing": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration", - "description": "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`." - }, - "type": { - "description": "`type` is \"Queue\" or \"Reject\". \"Queue\" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. \"Reject\" means that requests that can not be executed upon arrival are rejected. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "type" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "queuing": "Queuing" - } - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/limitresponse.json b/master/limitresponse.json index 394d55643572b83eab3350c62a60899ce8fb23d9..ac9bd2ca29cd14293b4e07b6dff88922f858c3fa 100644 --- a/master/limitresponse.json +++ b/master/limitresponse.json @@ -2,7 +2,7 @@ "description": "LimitResponse defines how to handle requests that can not be executed right now.", "properties": { "queuing": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.QueuingConfiguration", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.QueuingConfiguration", "description": "`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `\"Queue\"`." }, "type": { diff --git a/master/localvolumesource-v1.json b/master/localvolumesource-v1.json index 7594a898ed0c6528c8eeac8508656cc060d229fa..49b86b0719c9f771c75abf57dfc1d2c054a2ea2b 100644 --- a/master/localvolumesource-v1.json +++ b/master/localvolumesource-v1.json @@ -1,5 +1,5 @@ { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master/localvolumesource.json b/master/localvolumesource.json index 7594a898ed0c6528c8eeac8508656cc060d229fa..49b86b0719c9f771c75abf57dfc1d2c054a2ea2b 100644 --- a/master/localvolumesource.json +++ b/master/localvolumesource.json @@ -1,5 +1,5 @@ { - "description": "Local represents directly-attached storage with node affinity (Beta feature)", + "description": "Local represents directly-attached storage with node affinity", "properties": { "fsType": { "description": "fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default value is to auto-select a filesystem if unspecified.", diff --git a/master/metricspec-autoscaling-v2.json b/master/metricspec-autoscaling-v2.json index b2b92d5de963c22cb67655287dbaf8ed678548d3..9c47d01232b1cc431a555690790945f740add242 100644 --- a/master/metricspec-autoscaling-v2.json +++ b/master/metricspec-autoscaling-v2.json @@ -3,7 +3,7 @@ "properties": { "containerResource": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricSource", - "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag." + "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "external": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricSource", @@ -22,7 +22,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": [ "string", "null" diff --git a/master/metricspec.json b/master/metricspec.json index b2b92d5de963c22cb67655287dbaf8ed678548d3..9c47d01232b1cc431a555690790945f740add242 100644 --- a/master/metricspec.json +++ b/master/metricspec.json @@ -3,7 +3,7 @@ "properties": { "containerResource": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricSource", - "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag." + "description": "containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "external": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricSource", @@ -22,7 +22,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.", "type": [ "string", "null" diff --git a/master/metricstatus-autoscaling-v2.json b/master/metricstatus-autoscaling-v2.json index 6b5956e065c76aa6364a8b99658e6c40dbdc936b..0d6411eb95b20364a12bc7370e1eab4abe951541 100644 --- a/master/metricstatus-autoscaling-v2.json +++ b/master/metricstatus-autoscaling-v2.json @@ -22,7 +22,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": [ "string", "null" diff --git a/master/metricstatus.json b/master/metricstatus.json index 6b5956e065c76aa6364a8b99658e6c40dbdc936b..0d6411eb95b20364a12bc7370e1eab4abe951541 100644 --- a/master/metricstatus.json +++ b/master/metricstatus.json @@ -22,7 +22,7 @@ "description": "resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source." }, "type": { - "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object. Note: \"ContainerResource\" type is available on when the feature-gate HPAContainerMetrics is enabled", + "description": "type is the type of metric source. It will be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each corresponds to a matching field in the object.", "type": [ "string", "null" diff --git a/master/validatingadmissionpolicy-admissionregistration-v1alpha1.json b/master/mutatingadmissionpolicy-admissionregistration-v1alpha1.json similarity index 68% rename from master/validatingadmissionpolicy-admissionregistration-v1alpha1.json rename to master/mutatingadmissionpolicy-admissionregistration-v1alpha1.json index dc899d2b13c28c495e59c09655e956bdd5632412..0a38eeff89bd4fffceba2898800389ad1fbf342b 100644 --- a/master/validatingadmissionpolicy-admissionregistration-v1alpha1.json +++ b/master/mutatingadmissionpolicy-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it.", + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -18,7 +18,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicy" + "MutatingAdmissionPolicy" ] }, "metadata": { @@ -26,19 +26,15 @@ "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicySpec", - "description": "Specification of the desired behavior of the ValidatingAdmissionPolicy." - }, - "status": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyStatus", - "description": "The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only." + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicy." } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicy", + "kind": "MutatingAdmissionPolicy", "version": "v1alpha1" } ], diff --git a/master/selfsubjectreview-authentication-v1alpha1.json b/master/mutatingadmissionpolicy.json similarity index 61% rename from master/selfsubjectreview-authentication-v1alpha1.json rename to master/mutatingadmissionpolicy.json index 6dce86206418ef8e95b00b2f43ff141c65db6168..8972a1c0a017125fee9a18699ac426744a978333 100644 --- a/master/selfsubjectreview-authentication-v1alpha1.json +++ b/master/mutatingadmissionpolicy.json @@ -1,14 +1,11 @@ { - "description": "SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request. When using impersonation, users will receive the user info of the user being impersonated. If impersonation or request header authentication is used, any extra keys will have their case ignored and returned as lowercase.", + "description": "MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" - ], - "enum": [ - "authentication.k8s.io/v1alpha1" ] }, "kind": { @@ -18,23 +15,23 @@ "null" ], "enum": [ - "SelfSubjectReview" + "MutatingAdmissionPolicy" ] }, "metadata": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, - "status": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.authentication.v1alpha1.SelfSubjectReviewStatus", - "description": "Status is filled in by the server with the user attributes." + "spec": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicy." } }, "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "authentication.k8s.io", - "kind": "SelfSubjectReview", + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicy", "version": "v1alpha1" } ], diff --git a/master/validatingadmissionpolicybinding-admissionregistration-v1alpha1.json b/master/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json similarity index 63% rename from master/validatingadmissionpolicybinding-admissionregistration-v1alpha1.json rename to master/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json index b54a7ae1a9b51d2c332bfbf2b5f8ba6154613492..d67fd0805ccd7f6a057158f9099219f9dfebc42b 100644 --- a/master/validatingadmissionpolicybinding-admissionregistration-v1alpha1.json +++ b/master/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -18,7 +18,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyBinding" + "MutatingAdmissionPolicyBinding" ] }, "metadata": { @@ -26,15 +26,15 @@ "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." }, "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBindingSpec", - "description": "Specification of the desired behavior of the ValidatingAdmissionPolicyBinding." + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicyBinding." } }, "type": "object", "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBinding", + "kind": "MutatingAdmissionPolicyBinding", "version": "v1alpha1" } ], diff --git a/master/mutatingadmissionpolicybinding.json b/master/mutatingadmissionpolicybinding.json new file mode 100644 index 0000000000000000000000000000000000000000..57f0cc34f6090b2fe7ecf0cca8b34666d9152790 --- /dev/null +++ b/master/mutatingadmissionpolicybinding.json @@ -0,0 +1,39 @@ +{ + "description": "MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget).\n\nAdding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyBinding" + ] + }, + "metadata": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata." + }, + "spec": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBindingSpec", + "description": "Specification of the desired behavior of the MutatingAdmissionPolicyBinding." + } + }, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyBinding", + "version": "v1alpha1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/validatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json b/master/mutatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json similarity index 86% rename from master/validatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json rename to master/mutatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json index d9477069cf5a1ec20dc7bc08cb1ff130e1db95b4..02aef17ee4104c5a6e8d917714bbf40da5330e66 100644 --- a/master/validatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json +++ b/master/mutatingadmissionpolicybindinglist-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.", + "description": "MutatingAdmissionPolicyBindingList is a list of MutatingAdmissionPolicyBinding.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14,7 +14,7 @@ "items": { "description": "List of PolicyBinding.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicyBinding" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding" }, "type": [ "array", @@ -28,7 +28,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyBindingList" + "MutatingAdmissionPolicyBindingList" ] }, "metadata": { @@ -43,7 +43,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyBindingList", + "kind": "MutatingAdmissionPolicyBindingList", "version": "v1alpha1" } ], diff --git a/master/mutatingadmissionpolicybindinglist.json b/master/mutatingadmissionpolicybindinglist.json new file mode 100644 index 0000000000000000000000000000000000000000..112e72b149a0aee2b138584544bc4ddc451d8679 --- /dev/null +++ b/master/mutatingadmissionpolicybindinglist.json @@ -0,0 +1,48 @@ +{ + "description": "MutatingAdmissionPolicyBindingList is a list of MutatingAdmissionPolicyBinding.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "items": { + "description": "List of PolicyBinding.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicyBinding" + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyBindingList" + ] + }, + "metadata": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyBindingList", + "version": "v1alpha1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/mutatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json b/master/mutatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..d667f2667ee2e4b182ceec67f7fc305bbe61079c --- /dev/null +++ b/master/mutatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json @@ -0,0 +1,22 @@ +{ + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", + "properties": { + "matchResources": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", + "description": "matchResources limits what resources match this binding and may be mutated by it. Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and matchConditions before the resource may be mutated. When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints and matchConditions must match for the resource to be mutated. Additionally, matchResources.resourceRules are optional and do not constraint matching when unset. Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT." + }, + "paramRef": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef", + "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." + }, + "policyName": { + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/mutatingadmissionpolicybindingspec.json b/master/mutatingadmissionpolicybindingspec.json new file mode 100644 index 0000000000000000000000000000000000000000..d667f2667ee2e4b182ceec67f7fc305bbe61079c --- /dev/null +++ b/master/mutatingadmissionpolicybindingspec.json @@ -0,0 +1,22 @@ +{ + "description": "MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding.", + "properties": { + "matchResources": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", + "description": "matchResources limits what resources match this binding and may be mutated by it. Note that if matchResources matches a resource, the resource must also match a policy's matchConstraints and matchConditions before the resource may be mutated. When matchResources is unset, it does not constrain resource matching, and only the policy's matchConstraints and matchConditions must match for the resource to be mutated. Additionally, matchResources.resourceRules are optional and do not constraint matching when unset. Note that this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT." + }, + "paramRef": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef", + "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in spec.ParamKind of the bound MutatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the MutatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." + }, + "policyName": { + "description": "policyName references a MutatingAdmissionPolicy name which the MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", + "type": [ + "string", + "null" + ] + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/validatingadmissionpolicylist-admissionregistration-v1alpha1.json b/master/mutatingadmissionpolicylist-admissionregistration-v1alpha1.json similarity index 88% rename from master/validatingadmissionpolicylist-admissionregistration-v1alpha1.json rename to master/mutatingadmissionpolicylist-admissionregistration-v1alpha1.json index 2713fbcf77bac9550e00aa3cd3a3082b2c33b7b2..575ab848ec0c0f84fad34995f97b8c6a34e962b8 100644 --- a/master/validatingadmissionpolicylist-admissionregistration-v1alpha1.json +++ b/master/mutatingadmissionpolicylist-admissionregistration-v1alpha1.json @@ -1,5 +1,5 @@ { - "description": "ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.", + "description": "MutatingAdmissionPolicyList is a list of MutatingAdmissionPolicy.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -14,7 +14,7 @@ "items": { "description": "List of ValidatingAdmissionPolicy.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ValidatingAdmissionPolicy" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy" }, "type": [ "array", @@ -28,7 +28,7 @@ "null" ], "enum": [ - "ValidatingAdmissionPolicyList" + "MutatingAdmissionPolicyList" ] }, "metadata": { @@ -43,7 +43,7 @@ "x-kubernetes-group-version-kind": [ { "group": "admissionregistration.k8s.io", - "kind": "ValidatingAdmissionPolicyList", + "kind": "MutatingAdmissionPolicyList", "version": "v1alpha1" } ], diff --git a/master/mutatingadmissionpolicylist.json b/master/mutatingadmissionpolicylist.json new file mode 100644 index 0000000000000000000000000000000000000000..cb0e0665b0d8f43ae235ec4cce5a651ebc0d65a2 --- /dev/null +++ b/master/mutatingadmissionpolicylist.json @@ -0,0 +1,48 @@ +{ + "description": "MutatingAdmissionPolicyList is a list of MutatingAdmissionPolicy.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ] + }, + "items": { + "description": "List of ValidatingAdmissionPolicy.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy" + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "MutatingAdmissionPolicyList" + ] + }, + "metadata": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "admissionregistration.k8s.io", + "kind": "MutatingAdmissionPolicyList", + "version": "v1alpha1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/mutatingadmissionpolicyspec-admissionregistration-v1alpha1.json b/master/mutatingadmissionpolicyspec-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..bdac077e0d5145c957ccebc6fcc0cf927ddf11a3 --- /dev/null +++ b/master/mutatingadmissionpolicyspec-admissionregistration-v1alpha1.json @@ -0,0 +1,67 @@ +{ + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", + "properties": { + "failurePolicy": { + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "type": [ + "string", + "null" + ] + }, + "matchConditions": { + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "matchConstraints": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", + "description": "matchConstraints specifies what resources this policy is designed to validate. The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT. Required." + }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Mutation" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "paramKind": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", + "description": "paramKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null." + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": [ + "string", + "null" + ] + }, + "variables": { + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/mutatingadmissionpolicyspec.json b/master/mutatingadmissionpolicyspec.json new file mode 100644 index 0000000000000000000000000000000000000000..bdac077e0d5145c957ccebc6fcc0cf927ddf11a3 --- /dev/null +++ b/master/mutatingadmissionpolicyspec.json @@ -0,0 +1,67 @@ +{ + "description": "MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy.", + "properties": { + "failurePolicy": { + "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if paramKind refers to a non-existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", + "type": [ + "string", + "null" + ] + }, + "matchConditions": { + "description": "matchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "name" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "matchConstraints": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", + "description": "matchConstraints specifies what resources this policy is designed to validate. The MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. '*' matches CREATE, UPDATE and CONNECT. Required." + }, + "mutations": { + "description": "mutations contain operations to perform on matching objects. mutations may not be empty; a minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy and reinvocation of mutations occurs on a per binding basis.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Mutation" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "paramKind": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", + "description": "paramKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If paramKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in MutatingAdmissionPolicyBinding, the params variable will be null." + }, + "reinvocationPolicy": { + "description": "reinvocationPolicy indicates whether mutations may be called multiple times per MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: These mutations will not be called more than once per binding in a single admission evaluation.\n\nIfNeeded: These mutations may be invoked more than once per binding for a single admission request and there is no guarantee of order with respect to other admission plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only reinvoked when mutations change the object after this mutation is invoked. Required.", + "type": [ + "string", + "null" + ] + }, + "variables": { + "description": "variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except matchConditions because matchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, variables must be sorted by the order of first appearance and acyclic.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/mutation-admissionregistration-v1alpha1.json b/master/mutation-admissionregistration-v1alpha1.json new file mode 100644 index 0000000000000000000000000000000000000000..829da24b25946a9f373ff2e50975d539c56492bb --- /dev/null +++ b/master/mutation-admissionregistration-v1alpha1.json @@ -0,0 +1,25 @@ +{ + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration", + "description": "applyConfiguration defines the desired configuration values of an object. The configuration is applied to the admission object using [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff). A CEL expression is used to create apply configuration." + }, + "jsonPatch": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.JSONPatch", + "description": "jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object. A CEL expression is used to create the JSON patch." + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "patchType" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/mutation.json b/master/mutation.json new file mode 100644 index 0000000000000000000000000000000000000000..829da24b25946a9f373ff2e50975d539c56492bb --- /dev/null +++ b/master/mutation.json @@ -0,0 +1,25 @@ +{ + "description": "Mutation specifies the CEL expression which is used to apply the Mutation.", + "properties": { + "applyConfiguration": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ApplyConfiguration", + "description": "applyConfiguration defines the desired configuration values of an object. The configuration is applied to the admission object using [structured merge diff](https://github.com/kubernetes-sigs/structured-merge-diff). A CEL expression is used to create apply configuration." + }, + "jsonPatch": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.JSONPatch", + "description": "jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to the object. A CEL expression is used to create the JSON patch." + }, + "patchType": { + "description": "patchType indicates the patch strategy used. Allowed values are \"ApplyConfiguration\" and \"JSONPatch\". Required.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "patchType" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/nonresourcepolicyrule-flowcontrol-v1beta3.json b/master/nonresourcepolicyrule-flowcontrol-v1beta3.json deleted file mode 100644 index ca6d9120033411e377badab96c0a0ac965eb86cb..0000000000000000000000000000000000000000 --- a/master/nonresourcepolicyrule-flowcontrol-v1beta3.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "description": "NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.", - "properties": { - "nonResourceURLs": { - "description": "`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "nonResourceURLs" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/opaquedeviceconfiguration-resource-v1alpha3.json b/master/opaquedeviceconfiguration-resource-v1alpha3.json index f36a53e4021209ed8cbb1b10ebfed40a54399854..d58b137d7e964e826058103afb7b0e46adf9aab3 100644 --- a/master/opaquedeviceconfiguration-resource-v1alpha3.json +++ b/master/opaquedeviceconfiguration-resource-v1alpha3.json @@ -10,7 +10,7 @@ }, "parameters": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", - "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions." + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." } }, "required": [ diff --git a/master/opaquedeviceconfiguration-resource-v1beta1.json b/master/opaquedeviceconfiguration-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..d58b137d7e964e826058103afb7b0e46adf9aab3 --- /dev/null +++ b/master/opaquedeviceconfiguration-resource-v1beta1.json @@ -0,0 +1,22 @@ +{ + "description": "OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.", + "properties": { + "driver": { + "description": "Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.", + "type": [ + "string", + "null" + ] + }, + "parameters": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." + } + }, + "required": [ + "driver", + "parameters" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/opaquedeviceconfiguration.json b/master/opaquedeviceconfiguration.json index f36a53e4021209ed8cbb1b10ebfed40a54399854..d58b137d7e964e826058103afb7b0e46adf9aab3 100644 --- a/master/opaquedeviceconfiguration.json +++ b/master/opaquedeviceconfiguration.json @@ -10,7 +10,7 @@ }, "parameters": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension", - "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions." + "description": "Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki." } }, "required": [ diff --git a/master/persistentvolumespec-v1.json b/master/persistentvolumespec-v1.json index 9f99230c71d20d6e5a7eb2ea9ff15af6ab7df489..ab30fe848494c5c4f1ad81b29f47704de9ec1379 100644 --- a/master/persistentvolumespec-v1.json +++ b/master/persistentvolumespec-v1.json @@ -17,15 +17,15 @@ }, "awsElasticBlockStore": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.AzureFilePersistentVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "capacity": { "additionalProperties": { @@ -39,11 +39,11 @@ }, "cephfs": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.CephFSPersistentVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.CinderPersistentVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "claimRef": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ObjectReference", @@ -52,7 +52,7 @@ }, "csi": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.CSIPersistentVolumeSource", - "description": "csi represents storage that is handled by an external CSI driver (Beta feature)." + "description": "csi represents storage that is handled by an external CSI driver." }, "fc": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.FCVolumeSource", @@ -60,19 +60,19 @@ }, "flexVolume": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.FlexPersistentVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "glusterfs": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.GlusterfsPersistentVolumeSource", - "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -117,23 +117,23 @@ }, "photonPersistentDisk": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "quobyte": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.RBDPersistentVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ScaleIOPersistentVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "storageClassName": { "description": "storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.", @@ -144,7 +144,7 @@ }, "storageos": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.StorageOSPersistentVolumeSource", - "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md" + "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. More info: https://examples.k8s.io/volumes/storageos/README.md" }, "volumeAttributesClassName": { "description": "Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process. This is a beta field and requires enabling VolumeAttributesClass feature (off by default).", @@ -162,7 +162,7 @@ }, "vsphereVolume": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "type": "object", diff --git a/master/persistentvolumespec.json b/master/persistentvolumespec.json index 9f99230c71d20d6e5a7eb2ea9ff15af6ab7df489..ab30fe848494c5c4f1ad81b29f47704de9ec1379 100644 --- a/master/persistentvolumespec.json +++ b/master/persistentvolumespec.json @@ -17,15 +17,15 @@ }, "awsElasticBlockStore": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.AzureFilePersistentVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "capacity": { "additionalProperties": { @@ -39,11 +39,11 @@ }, "cephfs": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.CephFSPersistentVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.CinderPersistentVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "claimRef": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ObjectReference", @@ -52,7 +52,7 @@ }, "csi": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.CSIPersistentVolumeSource", - "description": "csi represents storage that is handled by an external CSI driver (Beta feature)." + "description": "csi represents storage that is handled by an external CSI driver." }, "fc": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.FCVolumeSource", @@ -60,19 +60,19 @@ }, "flexVolume": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.FlexPersistentVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "glusterfs": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.GlusterfsPersistentVolumeSource", - "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -117,23 +117,23 @@ }, "photonPersistentDisk": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "quobyte": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.RBDPersistentVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ScaleIOPersistentVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "storageClassName": { "description": "storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.", @@ -144,7 +144,7 @@ }, "storageos": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.StorageOSPersistentVolumeSource", - "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md" + "description": "storageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. More info: https://examples.k8s.io/volumes/storageos/README.md" }, "volumeAttributesClassName": { "description": "Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding process. This is a beta field and requires enabling VolumeAttributesClass feature (off by default).", @@ -162,7 +162,7 @@ }, "vsphereVolume": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "type": "object", diff --git a/master/podstatus-v1.json b/master/podstatus-v1.json index 60eec1be61fcbcbc70fc8fe5a35c017a0540482b..16eeafe747adb7e1eb2bdfb142e2c7b1b54e745f 100644 --- a/master/podstatus-v1.json +++ b/master/podstatus-v1.json @@ -18,7 +18,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -29,7 +29,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -60,7 +60,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, diff --git a/master/podstatus.json b/master/podstatus.json index 60eec1be61fcbcbc70fc8fe5a35c017a0540482b..16eeafe747adb7e1eb2bdfb142e2c7b1b54e745f 100644 --- a/master/podstatus.json +++ b/master/podstatus.json @@ -18,7 +18,7 @@ "x-kubernetes-patch-strategy": "merge" }, "containerStatuses": { - "description": "The list has one entry per container in the manifest. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -29,7 +29,7 @@ "x-kubernetes-list-type": "atomic" }, "ephemeralContainerStatuses": { - "description": "Status for any ephemeral containers that have run in this pod.", + "description": "Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", "items": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, @@ -60,7 +60,7 @@ "x-kubernetes-patch-strategy": "merge" }, "initContainerStatuses": { - "description": "The list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status", + "description": "Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status", "items": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ContainerStatus" }, diff --git a/master/policyruleswithsubjects-flowcontrol-v1beta3.json b/master/policyruleswithsubjects-flowcontrol-v1beta3.json deleted file mode 100644 index f40f35c5fc864e0026f927f63466b6494961c1b4..0000000000000000000000000000000000000000 --- a/master/policyruleswithsubjects-flowcontrol-v1beta3.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "description": "PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.", - "properties": { - "nonResourceRules": { - "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "resourceRules": { - "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "subjects": { - "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "required": [ - "subjects" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/policyruleswithsubjects.json b/master/policyruleswithsubjects.json index f40f35c5fc864e0026f927f63466b6494961c1b4..d4cc9501e82eea9b5225f493ea06afeb6e800975 100644 --- a/master/policyruleswithsubjects.json +++ b/master/policyruleswithsubjects.json @@ -4,7 +4,7 @@ "nonResourceRules": { "description": "`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.NonResourcePolicyRule" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.NonResourcePolicyRule" }, "type": [ "array", @@ -15,7 +15,7 @@ "resourceRules": { "description": "`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ResourcePolicyRule" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.ResourcePolicyRule" }, "type": [ "array", @@ -26,7 +26,7 @@ "subjects": { "description": "subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.Subject" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.Subject" }, "type": [ "array", diff --git a/master/prioritylevelconfiguration.json b/master/prioritylevelconfiguration.json index 8c1f55acda07ed788b05c3f90fd5e5d2bf64facd..3c6a3a441e19e38082c0cacb260481de0ec179f4 100644 --- a/master/prioritylevelconfiguration.json +++ b/master/prioritylevelconfiguration.json @@ -23,11 +23,11 @@ "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" }, "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationSpec", "description": "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" }, "status": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationStatus", "description": "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" } }, @@ -36,7 +36,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "PriorityLevelConfiguration", - "version": "v1beta3" + "version": "v1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/prioritylevelconfigurationcondition-flowcontrol-v1beta3.json b/master/prioritylevelconfigurationcondition-flowcontrol-v1beta3.json deleted file mode 100644 index d25e0ceeadb253a8924dca6619a69a49aeecbdc7..0000000000000000000000000000000000000000 --- a/master/prioritylevelconfigurationcondition-flowcontrol-v1beta3.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "description": "PriorityLevelConfigurationCondition defines the condition of priority level.", - "properties": { - "lastTransitionTime": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time", - "description": "`lastTransitionTime` is the last time the condition transitioned from one status to another." - }, - "message": { - "description": "`message` is a human-readable message indicating details about last transition.", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "`reason` is a unique, one-word, CamelCase reason for the condition's last transition.", - "type": [ - "string", - "null" - ] - }, - "status": { - "description": "`status` is the status of the condition. Can be True, False, Unknown. Required.", - "type": [ - "string", - "null" - ] - }, - "type": { - "description": "`type` is the type of the condition. Required.", - "type": [ - "string", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/prioritylevelconfigurationlist-flowcontrol-v1beta3.json b/master/prioritylevelconfigurationlist-flowcontrol-v1beta3.json deleted file mode 100644 index e69494cae9378ec2139e46936725621dcd904a6e..0000000000000000000000000000000000000000 --- a/master/prioritylevelconfigurationlist-flowcontrol-v1beta3.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "description": "PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.", - "properties": { - "apiVersion": { - "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", - "type": [ - "string", - "null" - ], - "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" - ] - }, - "items": { - "description": "`items` is a list of request-priorities.", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration" - }, - "type": [ - "array", - "null" - ] - }, - "kind": { - "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": [ - "string", - "null" - ], - "enum": [ - "PriorityLevelConfigurationList" - ] - }, - "metadata": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" - } - }, - "required": [ - "items" - ], - "type": "object", - "x-kubernetes-group-version-kind": [ - { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfigurationList", - "version": "v1beta3" - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/prioritylevelconfigurationlist.json b/master/prioritylevelconfigurationlist.json index d591e81a679c5bfce7fc6de86f14e4b95f5570cd..9955166eba36a3356e266588089d83193e07eb79 100644 --- a/master/prioritylevelconfigurationlist.json +++ b/master/prioritylevelconfigurationlist.json @@ -11,7 +11,7 @@ "items": { "description": "`items` is a list of request-priorities.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfiguration" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfiguration" }, "type": [ "array", @@ -41,7 +41,7 @@ { "group": "flowcontrol.apiserver.k8s.io", "kind": "PriorityLevelConfigurationList", - "version": "v1beta3" + "version": "v1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/prioritylevelconfigurationreference-flowcontrol-v1beta3.json b/master/prioritylevelconfigurationreference-flowcontrol-v1beta3.json deleted file mode 100644 index 009271c11f11a90f54a5a8e6b420cec6286da4d9..0000000000000000000000000000000000000000 --- a/master/prioritylevelconfigurationreference-flowcontrol-v1beta3.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "PriorityLevelConfigurationReference contains information that points to the \"request-priority\" being used.", - "properties": { - "name": { - "description": "`name` is the name of the priority level configuration being referenced Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "name" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/prioritylevelconfigurationspec-flowcontrol-v1beta3.json b/master/prioritylevelconfigurationspec-flowcontrol-v1beta3.json deleted file mode 100644 index 76010162302a1854c8fa9653b804c0263ff80cb5..0000000000000000000000000000000000000000 --- a/master/prioritylevelconfigurationspec-flowcontrol-v1beta3.json +++ /dev/null @@ -1,34 +0,0 @@ -{ - "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", - "properties": { - "exempt": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration", - "description": "`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply." - }, - "limited": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration", - "description": "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`." - }, - "type": { - "description": "`type` indicates whether this priority level is subject to limitation on request execution. A value of `\"Exempt\"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `\"Limited\"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "type" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "type", - "fields-to-discriminateBy": { - "exempt": "Exempt", - "limited": "Limited" - } - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/prioritylevelconfigurationspec.json b/master/prioritylevelconfigurationspec.json index 76010162302a1854c8fa9653b804c0263ff80cb5..a7fa5e82a586cda277b802acebbea4a14ea51bc8 100644 --- a/master/prioritylevelconfigurationspec.json +++ b/master/prioritylevelconfigurationspec.json @@ -2,11 +2,11 @@ "description": "PriorityLevelConfigurationSpec specifies the configuration of a priority level.", "properties": { "exempt": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ExemptPriorityLevelConfiguration", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.ExemptPriorityLevelConfiguration", "description": "`exempt` specifies how requests are handled for an exempt priority level. This field MUST be empty if `type` is `\"Limited\"`. This field MAY be non-empty if `type` is `\"Exempt\"`. If empty and `type` is `\"Exempt\"` then the default values for `ExemptPriorityLevelConfiguration` apply." }, "limited": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.LimitedPriorityLevelConfiguration", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.LimitedPriorityLevelConfiguration", "description": "`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `\"Limited\"`." }, "type": { diff --git a/master/prioritylevelconfigurationstatus-flowcontrol-v1beta3.json b/master/prioritylevelconfigurationstatus-flowcontrol-v1beta3.json deleted file mode 100644 index e203fd26172dd968a1ac867a5ee7282770ff79bd..0000000000000000000000000000000000000000 --- a/master/prioritylevelconfigurationstatus-flowcontrol-v1beta3.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "description": "PriorityLevelConfigurationStatus represents the current state of a \"request-priority\".", - "properties": { - "conditions": { - "description": "`conditions` is the current state of \"request-priority\".", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "type", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/prioritylevelconfigurationstatus.json b/master/prioritylevelconfigurationstatus.json index e203fd26172dd968a1ac867a5ee7282770ff79bd..b08826bed1546ad14693425aa68d1b93eedf242c 100644 --- a/master/prioritylevelconfigurationstatus.json +++ b/master/prioritylevelconfigurationstatus.json @@ -4,7 +4,7 @@ "conditions": { "description": "`conditions` is the current state of \"request-priority\".", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationCondition" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1.PriorityLevelConfigurationCondition" }, "type": [ "array", diff --git a/master/queuingconfiguration-flowcontrol-v1beta3.json b/master/queuingconfiguration-flowcontrol-v1beta3.json deleted file mode 100644 index a32f9fa0db3560a275f08d45fbe5604ea0ee691c..0000000000000000000000000000000000000000 --- a/master/queuingconfiguration-flowcontrol-v1beta3.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "description": "QueuingConfiguration holds the configuration parameters for queuing", - "properties": { - "handSize": { - "description": "`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queueLengthLimit": { - "description": "`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.", - "format": "int32", - "type": [ - "integer", - "null" - ] - }, - "queues": { - "description": "`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.", - "format": "int32", - "type": [ - "integer", - "null" - ] - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/prioritylevelconfiguration-flowcontrol-v1beta3.json b/master/resourceclaim-resource-v1beta1.json similarity index 59% rename from master/prioritylevelconfiguration-flowcontrol-v1beta3.json rename to master/resourceclaim-resource-v1beta1.json index fd533dced0efdcac8fa3dc803272120010e8c345..caa0c7644dca1dde4e26fbe10bb618feb9970807 100644 --- a/master/prioritylevelconfiguration-flowcontrol-v1beta3.json +++ b/master/resourceclaim-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "PriorityLevelConfiguration represents the configuration of a priority level.", + "description": "ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,7 +8,7 @@ "null" ], "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" + "resource.k8s.io/v1beta1" ] }, "kind": { @@ -18,28 +18,31 @@ "null" ], "enum": [ - "PriorityLevelConfiguration" + "ResourceClaim" ] }, "metadata": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", - "description": "`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard object metadata" }, "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationSpec", - "description": "`spec` is the specification of the desired behavior of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", + "description": "Spec describes what is being requested and how to configure it. The spec is immutable." }, "status": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.PriorityLevelConfigurationStatus", - "description": "`status` is the current status of a \"request-priority\". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus", + "description": "Status describes whether the claim is ready to use and what has been allocated." } }, + "required": [ + "spec" + ], "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "PriorityLevelConfiguration", - "version": "v1beta3" + "group": "resource.k8s.io", + "kind": "ResourceClaim", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/resourceclaim.json b/master/resourceclaim.json index 03971dc22ff953f91aac60916f5db2af3a677002..b2f555117be9d05cd4ad30afafc1cbda6e6496ee 100644 --- a/master/resourceclaim.json +++ b/master/resourceclaim.json @@ -23,11 +23,11 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", "description": "Spec describes what is being requested and how to configure it. The spec is immutable." }, "status": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimStatus", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimStatus", "description": "Status describes whether the claim is ready to use and what has been allocated." } }, @@ -39,7 +39,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaim", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/resourceclaimconsumerreference-resource-v1beta1.json b/master/resourceclaimconsumerreference-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..c7b403264ba65696555b8191da3d5be36cdc9f30 --- /dev/null +++ b/master/resourceclaimconsumerreference-resource-v1beta1.json @@ -0,0 +1,40 @@ +{ + "description": "ResourceClaimConsumerReference contains enough information to let you locate the consumer of a ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim.", + "properties": { + "apiGroup": { + "description": "APIGroup is the group for the resource being referenced. It is empty for the core API. This matches the group in the APIVersion that is used when creating the resources.", + "type": [ + "string", + "null" + ] + }, + "name": { + "description": "Name is the name of resource being referenced.", + "type": [ + "string", + "null" + ] + }, + "resource": { + "description": "Resource is the type of resource being referenced, for example \"pods\".", + "type": [ + "string", + "null" + ] + }, + "uid": { + "description": "UID identifies exactly one incarnation of the resource.", + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "resource", + "name", + "uid" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/clustertrustbundlelist-certificates-v1alpha1.json b/master/resourceclaimlist-resource-v1beta1.json similarity index 76% rename from master/clustertrustbundlelist-certificates-v1alpha1.json rename to master/resourceclaimlist-resource-v1beta1.json index ff2416915f1abe823d481c318ea31b842e322f71..0634e4ad9f84cabb17c63f9dece75a79c055eb27 100644 --- a/master/clustertrustbundlelist-certificates-v1alpha1.json +++ b/master/resourceclaimlist-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "ClusterTrustBundleList is a collection of ClusterTrustBundle objects", + "description": "ResourceClaimList is a collection of claims.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,13 +8,13 @@ "null" ], "enum": [ - "certificates.k8s.io/v1alpha1" + "resource.k8s.io/v1beta1" ] }, "items": { - "description": "items is a collection of ClusterTrustBundle objects", + "description": "Items is the list of resource claims.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim" }, "type": [ "array", @@ -28,12 +28,12 @@ "null" ], "enum": [ - "ClusterTrustBundleList" + "ResourceClaimList" ] }, "metadata": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "metadata contains the list metadata." + "description": "Standard list metadata" } }, "required": [ @@ -42,9 +42,9 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "certificates.k8s.io", - "kind": "ClusterTrustBundleList", - "version": "v1alpha1" + "group": "resource.k8s.io", + "kind": "ResourceClaimList", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/resourceclaimlist.json b/master/resourceclaimlist.json index ced452374ae44d027f551cf2b1ab1a5c3ac10cf9..6e97d5d9a4eda696b01cc22d93c59ffb2d779ce4 100644 --- a/master/resourceclaimlist.json +++ b/master/resourceclaimlist.json @@ -11,7 +11,7 @@ "items": { "description": "Items is the list of resource claims.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaim" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaim" }, "type": [ "array", @@ -41,7 +41,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimList", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/resourceclaimspec-resource-v1beta1.json b/master/resourceclaimspec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..98f40c5d3f68aa6b8b47c156a81911f07b5cda8d --- /dev/null +++ b/master/resourceclaimspec-resource-v1beta1.json @@ -0,0 +1,11 @@ +{ + "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", + "properties": { + "devices": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim", + "description": "Devices defines how to request devices." + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/resourceclaimspec.json b/master/resourceclaimspec.json index 01c7be8409c05f193de922c80d81265a5e2c7aec..98f40c5d3f68aa6b8b47c156a81911f07b5cda8d 100644 --- a/master/resourceclaimspec.json +++ b/master/resourceclaimspec.json @@ -2,7 +2,7 @@ "description": "ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.", "properties": { "devices": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaim", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.DeviceClaim", "description": "Devices defines how to request devices." } }, diff --git a/master/resourceclaimstatus-resource-v1beta1.json b/master/resourceclaimstatus-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..d4ccb0f5471d8fabd735fddefeeb2486c8c3f981 --- /dev/null +++ b/master/resourceclaimstatus-resource-v1beta1.json @@ -0,0 +1,27 @@ +{ + "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", + "properties": { + "allocation": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.AllocationResult", + "description": "Allocation is set once the claim has been allocated successfully." + }, + "reservedFor": { + "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-map-keys": [ + "uid" + ], + "x-kubernetes-list-type": "map", + "x-kubernetes-patch-merge-key": "uid", + "x-kubernetes-patch-strategy": "merge" + } + }, + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/resourceclaimstatus.json b/master/resourceclaimstatus.json index 1a0ba3a12a3d19afca66ce3f0b7d5a95107591e0..d4ccb0f5471d8fabd735fddefeeb2486c8c3f981 100644 --- a/master/resourceclaimstatus.json +++ b/master/resourceclaimstatus.json @@ -2,13 +2,13 @@ "description": "ResourceClaimStatus tracks whether the resource has been allocated and what the result of that was.", "properties": { "allocation": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.AllocationResult", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.AllocationResult", "description": "Allocation is set once the claim has been allocated successfully." }, "reservedFor": { "description": "ReservedFor indicates which entities are currently allowed to use the claim. A Pod which references a ResourceClaim which is not reserved for that Pod will not be started. A claim that is in use or might be in use because it has been reserved must not get deallocated.\n\nIn a cluster with multiple scheduler instances, two pods might get scheduled concurrently by different schedulers. When they reference the same ResourceClaim which already has reached its maximum number of consumers, only one pod can be scheduled.\n\nBoth schedulers try to add their pod to the claim.status.reservedFor field, but only the update that reaches the API server first gets stored. The other one fails with an error and the scheduler which issued it knows that it must put the pod back into the queue, waiting for the ResourceClaim to become usable again.\n\nThere can be at most 32 such reservations. This may get increased in the future, but not reduced.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimConsumerReference" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimConsumerReference" }, "type": [ "array", diff --git a/master/resourceclaimtemplate-resource-v1beta1.json b/master/resourceclaimtemplate-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..0d9bcf9f816556191c9aff46ed5f9acee9a73114 --- /dev/null +++ b/master/resourceclaimtemplate-resource-v1beta1.json @@ -0,0 +1,45 @@ +{ + "description": "ResourceClaimTemplate is used to produce ResourceClaim objects.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceClaimTemplate" + ] + }, + "metadata": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object metadata" + }, + "spec": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec", + "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore." + } + }, + "required": [ + "spec" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplate", + "version": "v1beta1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/resourceclaimtemplate.json b/master/resourceclaimtemplate.json index 1113e945557963689926cc40f6245a5eb42163b9..bc95f82cb198ef501d2e2b0609987276e2d6a3fa 100644 --- a/master/resourceclaimtemplate.json +++ b/master/resourceclaimtemplate.json @@ -23,7 +23,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec", "description": "Describes the ResourceClaim that is to be generated.\n\nThis field is immutable. A ResourceClaim will get created by the control plane for a Pod when needed and then not get updated anymore." } }, @@ -35,7 +35,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplate", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/flowschemalist-flowcontrol-v1beta3.json b/master/resourceclaimtemplatelist-resource-v1beta1.json similarity index 73% rename from master/flowschemalist-flowcontrol-v1beta3.json rename to master/resourceclaimtemplatelist-resource-v1beta1.json index 222167a7de0f34e57ba884dc887104df9be7d5d9..55e1b9f4cf598f609def8d2383d2ab826c733fe7 100644 --- a/master/flowschemalist-flowcontrol-v1beta3.json +++ b/master/resourceclaimtemplatelist-resource-v1beta1.json @@ -1,5 +1,5 @@ { - "description": "FlowSchemaList is a list of FlowSchema objects.", + "description": "ResourceClaimTemplateList is a collection of claim templates.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", @@ -8,13 +8,13 @@ "null" ], "enum": [ - "flowcontrol.apiserver.k8s.io/v1beta3" + "resource.k8s.io/v1beta1" ] }, "items": { - "description": "`items` is a list of FlowSchemas.", + "description": "Items is the list of resource claim templates.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.FlowSchema" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate" }, "type": [ "array", @@ -28,12 +28,12 @@ "null" ], "enum": [ - "FlowSchemaList" + "ResourceClaimTemplateList" ] }, "metadata": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", - "description": "`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + "description": "Standard list metadata" } }, "required": [ @@ -42,9 +42,9 @@ "type": "object", "x-kubernetes-group-version-kind": [ { - "group": "flowcontrol.apiserver.k8s.io", - "kind": "FlowSchemaList", - "version": "v1beta3" + "group": "resource.k8s.io", + "kind": "ResourceClaimTemplateList", + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/resourceclaimtemplatelist.json b/master/resourceclaimtemplatelist.json index 2f8b13bb8c436b76c120b4b78cd13c403886914b..62bbbddbe651223a602e683547e5ac6af620a6db 100644 --- a/master/resourceclaimtemplatelist.json +++ b/master/resourceclaimtemplatelist.json @@ -11,7 +11,7 @@ "items": { "description": "Items is the list of resource claim templates.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimTemplate" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimTemplate" }, "type": [ "array", @@ -41,7 +41,7 @@ { "group": "resource.k8s.io", "kind": "ResourceClaimTemplateList", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/resourceclaimtemplatespec-resource-v1beta1.json b/master/resourceclaimtemplatespec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..c737ddc54443852d59a4a08f7efc7812388269c8 --- /dev/null +++ b/master/resourceclaimtemplatespec-resource-v1beta1.json @@ -0,0 +1,18 @@ +{ + "description": "ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.", + "properties": { + "metadata": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation." + }, + "spec": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", + "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here." + } + }, + "required": [ + "spec" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/resourceclaimtemplatespec.json b/master/resourceclaimtemplatespec.json index b6945fa38b22c73daabccc89a07f38165c13bba4..c737ddc54443852d59a4a08f7efc7812388269c8 100644 --- a/master/resourceclaimtemplatespec.json +++ b/master/resourceclaimtemplatespec.json @@ -6,7 +6,7 @@ "description": "ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation." }, "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec", "description": "Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here." } }, diff --git a/master/resourcepolicyrule-flowcontrol-v1beta3.json b/master/resourcepolicyrule-flowcontrol-v1beta3.json deleted file mode 100644 index c50cd302c586dfea83755a3ac4b1f8258666e262..0000000000000000000000000000000000000000 --- a/master/resourcepolicyrule-flowcontrol-v1beta3.json +++ /dev/null @@ -1,75 +0,0 @@ -{ - "description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.", - "properties": { - "apiGroups": { - "description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "clusterScope": { - "description": "`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.", - "type": [ - "boolean", - "null" - ] - }, - "namespaces": { - "description": "`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "resources": { - "description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - }, - "verbs": { - "description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - } - }, - "required": [ - "verbs", - "apiGroups", - "resources" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/resourcepool-resource-v1beta1.json b/master/resourcepool-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..c85bd4c5ed0de40ec3f8ef20bb164fe800fa5b02 --- /dev/null +++ b/master/resourcepool-resource-v1beta1.json @@ -0,0 +1,35 @@ +{ + "description": "ResourcePool describes the pool that ResourceSlices belong to.", + "properties": { + "generation": { + "description": "Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.", + "format": "int64", + "type": [ + "integer", + "null" + ] + }, + "name": { + "description": "Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "resourceSliceCount": { + "description": "ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.", + "format": "int64", + "type": [ + "integer", + "null" + ] + } + }, + "required": [ + "name", + "generation", + "resourceSliceCount" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/resourceslice-resource-v1beta1.json b/master/resourceslice-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..db181528076bcc1060047d3486a958bcd218461a --- /dev/null +++ b/master/resourceslice-resource-v1beta1.json @@ -0,0 +1,45 @@ +{ + "description": "ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple <driver name>, <pool name>, <device name>.\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceSlice" + ] + }, + "metadata": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta", + "description": "Standard object metadata" + }, + "spec": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec", + "description": "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number." + } + }, + "required": [ + "spec" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceSlice", + "version": "v1beta1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/resourceslice.json b/master/resourceslice.json index a36ffafebbe61ddc50508c16656688e7a9c43d79..2a39595c61798a0335478903b71616330d79af08 100644 --- a/master/resourceslice.json +++ b/master/resourceslice.json @@ -23,7 +23,7 @@ "description": "Standard object metadata" }, "spec": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec", "description": "Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number." } }, @@ -35,7 +35,7 @@ { "group": "resource.k8s.io", "kind": "ResourceSlice", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/resourceslicelist-resource-v1beta1.json b/master/resourceslicelist-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..6203adc903e1bf2f19bf10c46a2e791f2e9443f6 --- /dev/null +++ b/master/resourceslicelist-resource-v1beta1.json @@ -0,0 +1,51 @@ +{ + "description": "ResourceSliceList is a collection of ResourceSlices.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": [ + "string", + "null" + ], + "enum": [ + "resource.k8s.io/v1beta1" + ] + }, + "items": { + "description": "Items is the list of resource ResourceSlices.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice" + }, + "type": [ + "array", + "null" + ] + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": [ + "string", + "null" + ], + "enum": [ + "ResourceSliceList" + ] + }, + "metadata": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta", + "description": "Standard list metadata" + } + }, + "required": [ + "items" + ], + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "resource.k8s.io", + "kind": "ResourceSliceList", + "version": "v1beta1" + } + ], + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/resourceslicelist.json b/master/resourceslicelist.json index 994c1a1475823514ff38bcf41cb215e246f62905..f4dce5239d03d97ebf9f183bbeae7d57d212bbea 100644 --- a/master/resourceslicelist.json +++ b/master/resourceslicelist.json @@ -11,7 +11,7 @@ "items": { "description": "Items is the list of resource ResourceSlices.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourceSlice" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice" }, "type": [ "array", @@ -41,7 +41,7 @@ { "group": "resource.k8s.io", "kind": "ResourceSliceList", - "version": "v1alpha3" + "version": "v1beta1" } ], "$schema": "http://json-schema.org/schema#" diff --git a/master/resourceslicespec-resource-v1beta1.json b/master/resourceslicespec-resource-v1beta1.json new file mode 100644 index 0000000000000000000000000000000000000000..610c004c3a43fc8d8bdc5ebaae78a61a50778915 --- /dev/null +++ b/master/resourceslicespec-resource-v1beta1.json @@ -0,0 +1,51 @@ +{ + "description": "ResourceSliceSpec contains the information published by the driver in one ResourceSlice.", + "properties": { + "allNodes": { + "description": "AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set.", + "type": [ + "boolean", + "null" + ] + }, + "devices": { + "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", + "items": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.Device" + }, + "type": [ + "array", + "null" + ], + "x-kubernetes-list-type": "atomic" + }, + "driver": { + "description": "Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "nodeName": { + "description": "NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set. This field is immutable.", + "type": [ + "string", + "null" + ] + }, + "nodeSelector": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.NodeSelector", + "description": "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set." + }, + "pool": { + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourcePool", + "description": "Pool describes the pool that this ResourceSlice belongs to." + } + }, + "required": [ + "driver", + "pool" + ], + "type": "object", + "$schema": "http://json-schema.org/schema#" +} \ No newline at end of file diff --git a/master/resourceslicespec.json b/master/resourceslicespec.json index 51c1764511c3b5d3647eb27b4c65b7b8d3b61983..610c004c3a43fc8d8bdc5ebaae78a61a50778915 100644 --- a/master/resourceslicespec.json +++ b/master/resourceslicespec.json @@ -11,7 +11,7 @@ "devices": { "description": "Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.", "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.Device" + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.Device" }, "type": [ "array", @@ -38,7 +38,7 @@ "description": "NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector and AllNodes must be set." }, "pool": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1alpha3.ResourcePool", + "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.resource.v1beta1.ResourcePool", "description": "Pool describes the pool that this ResourceSlice belongs to." } }, diff --git a/master/serviceaccountsubject-flowcontrol-v1beta3.json b/master/serviceaccountsubject-flowcontrol-v1beta3.json deleted file mode 100644 index 6548d56e8ca2b50536413574d36c0e31ae6b6b20..0000000000000000000000000000000000000000 --- a/master/serviceaccountsubject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "description": "ServiceAccountSubject holds detailed information for service-account-kind subject.", - "properties": { - "name": { - "description": "`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.", - "type": [ - "string", - "null" - ] - }, - "namespace": { - "description": "`namespace` is the namespace of matching ServiceAccount objects. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "namespace", - "name" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/subject-flowcontrol-v1beta3.json b/master/subject-flowcontrol-v1beta3.json deleted file mode 100644 index b4e9980ff1c7a2f354854049e6123c881b2f4657..0000000000000000000000000000000000000000 --- a/master/subject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "description": "Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.", - "properties": { - "group": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.GroupSubject", - "description": "`group` matches based on user group name." - }, - "kind": { - "description": "`kind` indicates which one of the other fields is non-empty. Required", - "type": [ - "string", - "null" - ] - }, - "serviceAccount": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.ServiceAccountSubject", - "description": "`serviceAccount` matches ServiceAccounts." - }, - "user": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.flowcontrol.v1beta3.UserSubject", - "description": "`user` matches based on username." - } - }, - "required": [ - "kind" - ], - "type": "object", - "x-kubernetes-unions": [ - { - "discriminator": "kind", - "fields-to-discriminateBy": { - "group": "Group", - "serviceAccount": "ServiceAccount", - "user": "User" - } - } - ], - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/typechecking-admissionregistration-v1alpha1.json b/master/typechecking-admissionregistration-v1alpha1.json deleted file mode 100644 index cfe8e6aad4e9e2bc1137f8bd47f614b38b169134..0000000000000000000000000000000000000000 --- a/master/typechecking-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "description": "TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy", - "properties": { - "expressionWarnings": { - "description": "The type checking warnings for each expression.", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ExpressionWarning" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/usersubject-flowcontrol-v1beta3.json b/master/usersubject-flowcontrol-v1beta3.json deleted file mode 100644 index 68c027e1658d13f83854f8584cf6b43fe21f6371..0000000000000000000000000000000000000000 --- a/master/usersubject-flowcontrol-v1beta3.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "description": "UserSubject holds detailed information for user-kind subject.", - "properties": { - "name": { - "description": "`name` is the username that matches, or \"*\" to match all usernames. Required.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "name" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/validatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json b/master/validatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json deleted file mode 100644 index bea73c56f712a50114046ac829213d71da3289b5..0000000000000000000000000000000000000000 --- a/master/validatingadmissionpolicybindingspec-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "description": "ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding.", - "properties": { - "matchResources": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", - "description": "MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are matched by the policy can be selected by this. If this is unset, all resources matched by the policy are validated by this binding When resourceRules is unset, it does not constrain resource matching. If a resource is matched by the other fields of this object, it will be validated. Note that this is differs from ValidatingAdmissionPolicy matchConstraints, where resourceRules are required." - }, - "paramRef": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamRef", - "description": "paramRef specifies the parameter resource used to configure the admission control policy. It should point to a resource of the type specified in ParamKind of the bound ValidatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the ValidatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is ignored, and the rules are evaluated without a param." - }, - "policyName": { - "description": "PolicyName references a ValidatingAdmissionPolicy name which the ValidatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding is considered invalid and will be ignored Required.", - "type": [ - "string", - "null" - ] - }, - "validationActions": { - "description": "validationActions declares how Validations of the referenced ValidatingAdmissionPolicy are enforced. If a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according to these actions only if the FailurePolicy is set to Fail, otherwise the failures are ignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does not matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client in HTTP Warning headers, with a warning code of 299. Warnings can be sent both for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is included in the published audit event for the request. The audit event will contain a `validation.policy.admission.k8s.io/validation_failure` audit annotation with a value containing the details of the validation failures, formatted as a JSON list of objects, each with the following fields: - message: The validation failure message string - policy: The resource name of the ValidatingAdmissionPolicy - binding: The resource name of the ValidatingAdmissionPolicyBinding - expressionIndex: The index of the failed validations in the ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `\"validation.policy.admission.k8s.io/validation_failure\": \"[{\\\"message\\\": \\\"Invalid value\\\", {\\\"policy\\\": \\\"policy.example.com\\\", {\\\"binding\\\": \\\"policybinding.example.com\\\", {\\\"expressionIndex\\\": \\\"1\\\", {\\\"validationActions\\\": [\\\"Audit\\\"]}]\"`\n\nClients should expect to handle additional values by ignoring any values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination needlessly duplicates the validation failure both in the API response body and the HTTP warning headers.\n\nRequired.", - "items": { - "type": [ - "string", - "null" - ] - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "set" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/validatingadmissionpolicyspec-admissionregistration-v1alpha1.json b/master/validatingadmissionpolicyspec-admissionregistration-v1alpha1.json deleted file mode 100644 index 6cc2ee60ce6dbdc3df4292aa88b20877ad491c07..0000000000000000000000000000000000000000 --- a/master/validatingadmissionpolicyspec-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,76 +0,0 @@ -{ - "description": "ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy.", - "properties": { - "auditAnnotations": { - "description": "auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is required.", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.AuditAnnotation" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "failurePolicy": { - "description": "failurePolicy defines how to handle failures for the admission policy. Failures can occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis-configured policy definitions or bindings.\n\nA policy is invalid if spec.paramKind refers to a non-existent Kind. A binding is invalid if spec.paramRef.name refers to a non-existent resource.\n\nfailurePolicy does not define how validations that evaluate to false are handled.\n\nWhen failurePolicy is set to Fail, ValidatingAdmissionPolicyBinding validationActions define how failures are enforced.\n\nAllowed values are Ignore or Fail. Defaults to Fail.", - "type": [ - "string", - "null" - ] - }, - "matchConditions": { - "description": "MatchConditions is a list of conditions that must be met for a request to be validated. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nIf a parameter object is provided, it can be accessed via the `params` handle in the same manner as validation expressions.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the policy is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the policy is skipped", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchCondition" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" - }, - "matchConstraints": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.MatchResources", - "description": "MatchConstraints specifies what resources this policy is designed to validate. The AdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order to prevent clusters from being put into an unstable state that cannot be recovered from via the API ValidatingAdmissionPolicy cannot match ValidatingAdmissionPolicy and ValidatingAdmissionPolicyBinding. Required." - }, - "paramKind": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.ParamKind", - "description": "ParamKind specifies the kind of resources used to parameterize this policy. If absent, there are no parameters for this policy and the param CEL variable will not be provided to validation expressions. If ParamKind refers to a non-existent kind, this policy definition is mis-configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in ValidatingAdmissionPolicyBinding, the params variable will be null." - }, - "validations": { - "description": "Validations contain CEL expressions which is used to apply the validation. Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is required.", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Validation" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-type": "atomic" - }, - "variables": { - "description": "Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. The variables defined here will be available under `variables` in other expressions of the policy except MatchConditions because MatchConditions are evaluated before the rest of the policy.\n\nThe expression of a variable can refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic.", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.Variable" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "name" - ], - "x-kubernetes-list-type": "map", - "x-kubernetes-patch-merge-key": "name", - "x-kubernetes-patch-strategy": "merge" - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/validatingadmissionpolicystatus-admissionregistration-v1alpha1.json b/master/validatingadmissionpolicystatus-admissionregistration-v1alpha1.json deleted file mode 100644 index e3d5a44f7f0e58eae50904826f17f48ccaf1f130..0000000000000000000000000000000000000000 --- a/master/validatingadmissionpolicystatus-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "description": "ValidatingAdmissionPolicyStatus represents the status of a ValidatingAdmissionPolicy.", - "properties": { - "conditions": { - "description": "The conditions represent the latest available observations of a policy's current state.", - "items": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition" - }, - "type": [ - "array", - "null" - ], - "x-kubernetes-list-map-keys": [ - "type" - ], - "x-kubernetes-list-type": "map" - }, - "observedGeneration": { - "description": "The generation observed by the controller.", - "format": "int64", - "type": [ - "integer", - "null" - ] - }, - "typeChecking": { - "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.admissionregistration.v1alpha1.TypeChecking", - "description": "The results of type checking for each expression. Presence of this field indicates the completion of the type checking." - } - }, - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/validation-admissionregistration-v1alpha1.json b/master/validation-admissionregistration-v1alpha1.json deleted file mode 100644 index a4effa90f7dda98886dddfdb96cbc642b4f399a6..0000000000000000000000000000000000000000 --- a/master/validation-admissionregistration-v1alpha1.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "description": "Validation specifies the CEL expression which is used to apply the validation.", - "properties": { - "expression": { - "description": "Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", - "type": [ - "string", - "null" - ] - }, - "message": { - "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".", - "type": [ - "string", - "null" - ] - }, - "messageExpression": { - "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"", - "type": [ - "string", - "null" - ] - }, - "reason": { - "description": "Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.", - "type": [ - "string", - "null" - ] - } - }, - "required": [ - "expression" - ], - "type": "object", - "$schema": "http://json-schema.org/schema#" -} \ No newline at end of file diff --git a/master/volume-v1.json b/master/volume-v1.json index bb0fc3b52beb415a3ccd32b02b37237e4804b8f0..3ad9d6ba181fbae1eeb7cd26cf9c17a67eb7b15d 100644 --- a/master/volume-v1.json +++ b/master/volume-v1.json @@ -3,23 +3,23 @@ "properties": { "awsElasticBlockStore": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "cephfs": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.CephFSVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.CinderVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "configMap": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource", @@ -27,7 +27,7 @@ }, "csi": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.CSIVolumeSource", - "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature)." + "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers." }, "downwardAPI": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource", @@ -47,23 +47,23 @@ }, "flexVolume": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.FlexVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "gitRepo": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource", - "description": "gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." + "description": "gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." }, "glusterfs": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource", - "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -94,11 +94,11 @@ }, "photonPersistentDisk": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "projected": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource", @@ -106,15 +106,15 @@ }, "quobyte": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.RBDVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "secret": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.SecretVolumeSource", @@ -122,11 +122,11 @@ }, "storageos": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource", - "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes." + "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported." }, "vsphereVolume": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "required": [ diff --git a/master/volume.json b/master/volume.json index bb0fc3b52beb415a3ccd32b02b37237e4804b8f0..3ad9d6ba181fbae1eeb7cd26cf9c17a67eb7b15d 100644 --- a/master/volume.json +++ b/master/volume.json @@ -3,23 +3,23 @@ "properties": { "awsElasticBlockStore": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource", - "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" + "description": "awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore" }, "azureDisk": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource", - "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod." + "description": "azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver." }, "azureFile": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource", - "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod." + "description": "azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver." }, "cephfs": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.CephFSVolumeSource", - "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime" + "description": "cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported." }, "cinder": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.CinderVolumeSource", - "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" + "description": "cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md" }, "configMap": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource", @@ -27,7 +27,7 @@ }, "csi": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.CSIVolumeSource", - "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature)." + "description": "csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers." }, "downwardAPI": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource", @@ -47,23 +47,23 @@ }, "flexVolume": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.FlexVolumeSource", - "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin." + "description": "flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead." }, "flocker": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.FlockerVolumeSource", - "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running" + "description": "flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported." }, "gcePersistentDisk": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource", - "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" + "description": "gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk" }, "gitRepo": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource", - "description": "gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." + "description": "gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container." }, "glusterfs": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource", - "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md" + "description": "glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md" }, "hostPath": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.HostPathVolumeSource", @@ -94,11 +94,11 @@ }, "photonPersistentDisk": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource", - "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine" + "description": "photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported." }, "portworxVolume": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.PortworxVolumeSource", - "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine" + "description": "portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on." }, "projected": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource", @@ -106,15 +106,15 @@ }, "quobyte": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource", - "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime" + "description": "quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported." }, "rbd": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.RBDVolumeSource", - "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md" + "description": "rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md" }, "scaleIO": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource", - "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes." + "description": "scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported." }, "secret": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.SecretVolumeSource", @@ -122,11 +122,11 @@ }, "storageos": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource", - "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes." + "description": "storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported." }, "vsphereVolume": { "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/master/_definitions.json#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource", - "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine" + "description": "vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver." } }, "required": [ diff --git a/master/watchevent-meta-v1.json b/master/watchevent-meta-v1.json index 5d87b170239d0197f4b30bc2a884680a33303ace..b5d98265587b7d88247c989c1f4ca6fa4cd1599b 100644 --- a/master/watchevent-meta-v1.json +++ b/master/watchevent-meta-v1.json @@ -283,6 +283,11 @@ "kind": "WatchEvent", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "WatchEvent", diff --git a/master/watchevent.json b/master/watchevent.json index 5d87b170239d0197f4b30bc2a884680a33303ace..b5d98265587b7d88247c989c1f4ca6fa4cd1599b 100644 --- a/master/watchevent.json +++ b/master/watchevent.json @@ -283,6 +283,11 @@ "kind": "WatchEvent", "version": "v1alpha3" }, + { + "group": "resource.k8s.io", + "kind": "WatchEvent", + "version": "v1beta1" + }, { "group": "scheduling.k8s.io", "kind": "WatchEvent",