// This file was autogenerated by go-to-protobuf. Do not edit it manually! syntax = 'proto2'; package github.com.openshift.origin.pkg.security.api.v1; import "github.com/openshift/origin/pkg/quota/api/v1/generated.proto"; import "k8s.io/kubernetes/pkg/api/unversioned/generated.proto"; import "k8s.io/kubernetes/pkg/api/v1/generated.proto"; import "k8s.io/kubernetes/pkg/runtime/generated.proto"; import "k8s.io/kubernetes/pkg/util/intstr/generated.proto"; // Package-wide variables from generator "generated". option go_package = "v1"; // PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question. message PodSecurityPolicyReview { // spec is the PodSecurityPolicy to check. optional PodSecurityPolicyReviewSpec spec = 1; // status represents the current information/status for the PodSecurityPolicyReview. optional PodSecurityPolicyReviewStatus status = 2; } // PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview message PodSecurityPolicyReviewSpec { // template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used // if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty, // in which case "default" is used. // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored. optional k8s.io.kubernetes.pkg.api.v1.PodTemplateSpec template = 1; // serviceAccountNames is an optional set of ServiceAccounts to run the check with. // If serviceAccountNames is empty, the template.spec.serviceAccountName is used, // unless it's empty, in which case "default" is used instead. // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored. repeated string serviceAccountNames = 2; } // PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview. message PodSecurityPolicyReviewStatus { // allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec. repeated ServiceAccountPodSecurityPolicyReviewStatus allowedServiceAccounts = 1; } // PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec message PodSecurityPolicySelfSubjectReview { // spec defines specification the PodSecurityPolicySelfSubjectReview. optional PodSecurityPolicySelfSubjectReviewSpec spec = 1; // status represents the current information/status for the PodSecurityPolicySelfSubjectReview. optional PodSecurityPolicySubjectReviewStatus status = 2; } // PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview. message PodSecurityPolicySelfSubjectReviewSpec { // template is the PodTemplateSpec to check. optional k8s.io.kubernetes.pkg.api.v1.PodTemplateSpec template = 1; } // PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec. message PodSecurityPolicySubjectReview { // spec defines specification for the PodSecurityPolicySubjectReview. optional PodSecurityPolicySubjectReviewSpec spec = 1; // status represents the current information/status for the PodSecurityPolicySubjectReview. optional PodSecurityPolicySubjectReviewStatus status = 2; } // PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview message PodSecurityPolicySubjectReviewSpec { // template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted. // If its non-empty, it will be checked. optional k8s.io.kubernetes.pkg.api.v1.PodTemplateSpec template = 1; // user is the user you're testing for. // If you specify "user" but not "group", then is it interpreted as "What if user were not a member of any groups. // If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template. optional string user = 2; // groups is the groups you're testing for. repeated string groups = 3; } // PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview. message PodSecurityPolicySubjectReviewStatus { // allowedBy is a reference to the rule that allows the PodTemplateSpec. // A rule can be a SecurityContextConstraint or a PodSecurityPolicy // A `nil`, indicates that it was denied. optional k8s.io.kubernetes.pkg.api.v1.ObjectReference allowedBy = 1; // A machine-readable description of why this operation is in the // "Failure" status. If this value is empty there // is no information available. optional string reason = 2; // template is the PodTemplateSpec after the defaulting is applied. optional k8s.io.kubernetes.pkg.api.v1.PodTemplateSpec template = 3; } // ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status message ServiceAccountPodSecurityPolicyReviewStatus { optional PodSecurityPolicySubjectReviewStatus podSecurityPolicySubjectReviewStatus = 1; // name contains the allowed and the denied ServiceAccount name optional string name = 2; }