Serge Bazanski | ae052f0 | 2021-05-24 13:54:11 +0200 | [diff] [blame] | 1 | /* |
| 2 | Copyright 2018 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | // To regenerate api.pb.go run hack/update-generated-runtime.sh |
| 18 | syntax = "proto3"; |
| 19 | |
| 20 | package runtime.v1alpha2; |
| 21 | option go_package = "code.hackerspace.pl/hscloud/cluster/identd/cri"; |
| 22 | |
| 23 | // Runtime service defines the public APIs for remote container runtimes |
| 24 | service RuntimeService { |
| 25 | // Version returns the runtime name, runtime version, and runtime API version. |
| 26 | rpc Version(VersionRequest) returns (VersionResponse) {} |
| 27 | |
| 28 | // RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure |
| 29 | // the sandbox is in the ready state on success. |
| 30 | rpc RunPodSandbox(RunPodSandboxRequest) returns (RunPodSandboxResponse) {} |
| 31 | // StopPodSandbox stops any running process that is part of the sandbox and |
| 32 | // reclaims network resources (e.g., IP addresses) allocated to the sandbox. |
| 33 | // If there are any running containers in the sandbox, they must be forcibly |
| 34 | // terminated. |
| 35 | // This call is idempotent, and must not return an error if all relevant |
| 36 | // resources have already been reclaimed. kubelet will call StopPodSandbox |
| 37 | // at least once before calling RemovePodSandbox. It will also attempt to |
| 38 | // reclaim resources eagerly, as soon as a sandbox is not needed. Hence, |
| 39 | // multiple StopPodSandbox calls are expected. |
| 40 | rpc StopPodSandbox(StopPodSandboxRequest) returns (StopPodSandboxResponse) {} |
| 41 | // RemovePodSandbox removes the sandbox. If there are any running containers |
| 42 | // in the sandbox, they must be forcibly terminated and removed. |
| 43 | // This call is idempotent, and must not return an error if the sandbox has |
| 44 | // already been removed. |
| 45 | rpc RemovePodSandbox(RemovePodSandboxRequest) returns (RemovePodSandboxResponse) {} |
| 46 | // PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not |
| 47 | // present, returns an error. |
| 48 | rpc PodSandboxStatus(PodSandboxStatusRequest) returns (PodSandboxStatusResponse) {} |
| 49 | // ListPodSandbox returns a list of PodSandboxes. |
| 50 | rpc ListPodSandbox(ListPodSandboxRequest) returns (ListPodSandboxResponse) {} |
| 51 | |
| 52 | // CreateContainer creates a new container in specified PodSandbox |
| 53 | rpc CreateContainer(CreateContainerRequest) returns (CreateContainerResponse) {} |
| 54 | // StartContainer starts the container. |
| 55 | rpc StartContainer(StartContainerRequest) returns (StartContainerResponse) {} |
| 56 | // StopContainer stops a running container with a grace period (i.e., timeout). |
| 57 | // This call is idempotent, and must not return an error if the container has |
| 58 | // already been stopped. |
| 59 | // TODO: what must the runtime do after the grace period is reached? |
| 60 | rpc StopContainer(StopContainerRequest) returns (StopContainerResponse) {} |
| 61 | // RemoveContainer removes the container. If the container is running, the |
| 62 | // container must be forcibly removed. |
| 63 | // This call is idempotent, and must not return an error if the container has |
| 64 | // already been removed. |
| 65 | rpc RemoveContainer(RemoveContainerRequest) returns (RemoveContainerResponse) {} |
| 66 | // ListContainers lists all containers by filters. |
| 67 | rpc ListContainers(ListContainersRequest) returns (ListContainersResponse) {} |
| 68 | // ContainerStatus returns status of the container. If the container is not |
| 69 | // present, returns an error. |
| 70 | rpc ContainerStatus(ContainerStatusRequest) returns (ContainerStatusResponse) {} |
| 71 | // UpdateContainerResources updates ContainerConfig of the container. |
| 72 | rpc UpdateContainerResources(UpdateContainerResourcesRequest) returns (UpdateContainerResourcesResponse) {} |
| 73 | // ReopenContainerLog asks runtime to reopen the stdout/stderr log file |
| 74 | // for the container. This is often called after the log file has been |
| 75 | // rotated. If the container is not running, container runtime can choose |
| 76 | // to either create a new log file and return nil, or return an error. |
| 77 | // Once it returns error, new container log file MUST NOT be created. |
| 78 | rpc ReopenContainerLog(ReopenContainerLogRequest) returns (ReopenContainerLogResponse) {} |
| 79 | |
| 80 | // ExecSync runs a command in a container synchronously. |
| 81 | rpc ExecSync(ExecSyncRequest) returns (ExecSyncResponse) {} |
| 82 | // Exec prepares a streaming endpoint to execute a command in the container. |
| 83 | rpc Exec(ExecRequest) returns (ExecResponse) {} |
| 84 | // Attach prepares a streaming endpoint to attach to a running container. |
| 85 | rpc Attach(AttachRequest) returns (AttachResponse) {} |
| 86 | // PortForward prepares a streaming endpoint to forward ports from a PodSandbox. |
| 87 | rpc PortForward(PortForwardRequest) returns (PortForwardResponse) {} |
| 88 | |
| 89 | // ContainerStats returns stats of the container. If the container does not |
| 90 | // exist, the call returns an error. |
| 91 | rpc ContainerStats(ContainerStatsRequest) returns (ContainerStatsResponse) {} |
| 92 | // ListContainerStats returns stats of all running containers. |
| 93 | rpc ListContainerStats(ListContainerStatsRequest) returns (ListContainerStatsResponse) {} |
| 94 | |
| 95 | // UpdateRuntimeConfig updates the runtime configuration based on the given request. |
| 96 | rpc UpdateRuntimeConfig(UpdateRuntimeConfigRequest) returns (UpdateRuntimeConfigResponse) {} |
| 97 | |
| 98 | // Status returns the status of the runtime. |
| 99 | rpc Status(StatusRequest) returns (StatusResponse) {} |
| 100 | } |
| 101 | |
| 102 | // ImageService defines the public APIs for managing images. |
| 103 | service ImageService { |
| 104 | // ListImages lists existing images. |
| 105 | rpc ListImages(ListImagesRequest) returns (ListImagesResponse) {} |
| 106 | // ImageStatus returns the status of the image. If the image is not |
| 107 | // present, returns a response with ImageStatusResponse.Image set to |
| 108 | // nil. |
| 109 | rpc ImageStatus(ImageStatusRequest) returns (ImageStatusResponse) {} |
| 110 | // PullImage pulls an image with authentication config. |
| 111 | rpc PullImage(PullImageRequest) returns (PullImageResponse) {} |
| 112 | // RemoveImage removes the image. |
| 113 | // This call is idempotent, and must not return an error if the image has |
| 114 | // already been removed. |
| 115 | rpc RemoveImage(RemoveImageRequest) returns (RemoveImageResponse) {} |
| 116 | // ImageFSInfo returns information of the filesystem that is used to store images. |
| 117 | rpc ImageFsInfo(ImageFsInfoRequest) returns (ImageFsInfoResponse) {} |
| 118 | } |
| 119 | |
| 120 | message VersionRequest { |
| 121 | // Version of the kubelet runtime API. |
| 122 | string version = 1; |
| 123 | } |
| 124 | |
| 125 | message VersionResponse { |
| 126 | // Version of the kubelet runtime API. |
| 127 | string version = 1; |
| 128 | // Name of the container runtime. |
| 129 | string runtime_name = 2; |
| 130 | // Version of the container runtime. The string must be |
| 131 | // semver-compatible. |
| 132 | string runtime_version = 3; |
| 133 | // API version of the container runtime. The string must be |
| 134 | // semver-compatible. |
| 135 | string runtime_api_version = 4; |
| 136 | } |
| 137 | |
| 138 | // DNSConfig specifies the DNS servers and search domains of a sandbox. |
| 139 | message DNSConfig { |
| 140 | // List of DNS servers of the cluster. |
| 141 | repeated string servers = 1; |
| 142 | // List of DNS search domains of the cluster. |
| 143 | repeated string searches = 2; |
| 144 | // List of DNS options. See https://linux.die.net/man/5/resolv.conf |
| 145 | // for all available options. |
| 146 | repeated string options = 3; |
| 147 | } |
| 148 | |
| 149 | enum Protocol { |
| 150 | TCP = 0; |
| 151 | UDP = 1; |
| 152 | SCTP = 2; |
| 153 | } |
| 154 | |
| 155 | // PortMapping specifies the port mapping configurations of a sandbox. |
| 156 | message PortMapping { |
| 157 | // Protocol of the port mapping. |
| 158 | Protocol protocol = 1; |
| 159 | // Port number within the container. Default: 0 (not specified). |
| 160 | int32 container_port = 2; |
| 161 | // Port number on the host. Default: 0 (not specified). |
| 162 | int32 host_port = 3; |
| 163 | // Host IP. |
| 164 | string host_ip = 4; |
| 165 | } |
| 166 | |
| 167 | enum MountPropagation { |
| 168 | // No mount propagation ("private" in Linux terminology). |
| 169 | PROPAGATION_PRIVATE = 0; |
| 170 | // Mounts get propagated from the host to the container ("rslave" in Linux). |
| 171 | PROPAGATION_HOST_TO_CONTAINER = 1; |
| 172 | // Mounts get propagated from the host to the container and from the |
| 173 | // container to the host ("rshared" in Linux). |
| 174 | PROPAGATION_BIDIRECTIONAL = 2; |
| 175 | } |
| 176 | |
| 177 | // Mount specifies a host volume to mount into a container. |
| 178 | message Mount { |
| 179 | // Path of the mount within the container. |
| 180 | string container_path = 1; |
| 181 | // Path of the mount on the host. If the hostPath doesn't exist, then runtimes |
| 182 | // should report error. If the hostpath is a symbolic link, runtimes should |
| 183 | // follow the symlink and mount the real destination to container. |
| 184 | string host_path = 2; |
| 185 | // If set, the mount is read-only. |
| 186 | bool readonly = 3; |
| 187 | // If set, the mount needs SELinux relabeling. |
| 188 | bool selinux_relabel = 4; |
| 189 | // Requested propagation mode. |
| 190 | MountPropagation propagation = 5; |
| 191 | } |
| 192 | |
| 193 | // A NamespaceMode describes the intended namespace configuration for each |
| 194 | // of the namespaces (Network, PID, IPC) in NamespaceOption. Runtimes should |
| 195 | // map these modes as appropriate for the technology underlying the runtime. |
| 196 | enum NamespaceMode { |
| 197 | // A POD namespace is common to all containers in a pod. |
| 198 | // For example, a container with a PID namespace of POD expects to view |
| 199 | // all of the processes in all of the containers in the pod. |
| 200 | POD = 0; |
| 201 | // A CONTAINER namespace is restricted to a single container. |
| 202 | // For example, a container with a PID namespace of CONTAINER expects to |
| 203 | // view only the processes in that container. |
| 204 | CONTAINER = 1; |
| 205 | // A NODE namespace is the namespace of the Kubernetes node. |
| 206 | // For example, a container with a PID namespace of NODE expects to view |
| 207 | // all of the processes on the host running the kubelet. |
| 208 | NODE = 2; |
| 209 | // TARGET targets the namespace of another container. When this is specified, |
| 210 | // a target_id must be specified in NamespaceOption and refer to a container |
| 211 | // previously created with NamespaceMode CONTAINER. This containers namespace |
| 212 | // will be made to match that of container target_id. |
| 213 | // For example, a container with a PID namespace of TARGET expects to view |
| 214 | // all of the processes that container target_id can view. |
| 215 | TARGET = 3; |
| 216 | } |
| 217 | |
| 218 | // NamespaceOption provides options for Linux namespaces. |
| 219 | message NamespaceOption { |
| 220 | // Network namespace for this container/sandbox. |
| 221 | // Note: There is currently no way to set CONTAINER scoped network in the Kubernetes API. |
| 222 | // Namespaces currently set by the kubelet: POD, NODE |
| 223 | NamespaceMode network = 1; |
| 224 | // PID namespace for this container/sandbox. |
| 225 | // Note: The CRI default is POD, but the v1.PodSpec default is CONTAINER. |
| 226 | // The kubelet's runtime manager will set this to CONTAINER explicitly for v1 pods. |
| 227 | // Namespaces currently set by the kubelet: POD, CONTAINER, NODE, TARGET |
| 228 | NamespaceMode pid = 2; |
| 229 | // IPC namespace for this container/sandbox. |
| 230 | // Note: There is currently no way to set CONTAINER scoped IPC in the Kubernetes API. |
| 231 | // Namespaces currently set by the kubelet: POD, NODE |
| 232 | NamespaceMode ipc = 3; |
| 233 | // Target Container ID for NamespaceMode of TARGET. This container must have been |
| 234 | // previously created in the same pod. It is not possible to specify different targets |
| 235 | // for each namespace. |
| 236 | string target_id = 4; |
| 237 | } |
| 238 | |
| 239 | // Int64Value is the wrapper of int64. |
| 240 | message Int64Value { |
| 241 | // The value. |
| 242 | int64 value = 1; |
| 243 | } |
| 244 | |
| 245 | // LinuxSandboxSecurityContext holds linux security configuration that will be |
| 246 | // applied to a sandbox. Note that: |
| 247 | // 1) It does not apply to containers in the pods. |
| 248 | // 2) It may not be applicable to a PodSandbox which does not contain any running |
| 249 | // process. |
| 250 | message LinuxSandboxSecurityContext { |
| 251 | // Configurations for the sandbox's namespaces. |
| 252 | // This will be used only if the PodSandbox uses namespace for isolation. |
| 253 | NamespaceOption namespace_options = 1; |
| 254 | // Optional SELinux context to be applied. |
| 255 | SELinuxOption selinux_options = 2; |
| 256 | // UID to run sandbox processes as, when applicable. |
| 257 | Int64Value run_as_user = 3; |
| 258 | // GID to run sandbox processes as, when applicable. run_as_group should only |
| 259 | // be specified when run_as_user is specified; otherwise, the runtime MUST error. |
| 260 | Int64Value run_as_group = 8; |
| 261 | // If set, the root filesystem of the sandbox is read-only. |
| 262 | bool readonly_rootfs = 4; |
| 263 | // List of groups applied to the first process run in the sandbox, in |
| 264 | // addition to the sandbox's primary GID. |
| 265 | repeated int64 supplemental_groups = 5; |
| 266 | // Indicates whether the sandbox will be asked to run a privileged |
| 267 | // container. If a privileged container is to be executed within it, this |
| 268 | // MUST be true. |
| 269 | // This allows a sandbox to take additional security precautions if no |
| 270 | // privileged containers are expected to be run. |
| 271 | bool privileged = 6; |
| 272 | // Seccomp profile for the sandbox. |
| 273 | SecurityProfile seccomp = 9; |
| 274 | // AppArmor profile for the sandbox. |
| 275 | SecurityProfile apparmor = 10; |
| 276 | // Seccomp profile for the sandbox, candidate values are: |
| 277 | // * runtime/default: the default profile for the container runtime |
| 278 | // * unconfined: unconfined profile, ie, no seccomp sandboxing |
| 279 | // * localhost/<full-path-to-profile>: the profile installed on the node. |
| 280 | // <full-path-to-profile> is the full path of the profile. |
| 281 | // Default: "", which is identical with unconfined. |
| 282 | string seccomp_profile_path = 7 [deprecated=true]; |
| 283 | } |
| 284 | |
| 285 | // A security profile which can be used for sandboxes and containers. |
| 286 | message SecurityProfile { |
| 287 | // Available profile types. |
| 288 | enum ProfileType { |
| 289 | // The container runtime default profile should be used. |
| 290 | RuntimeDefault = 0; |
| 291 | // Disable the feature for the sandbox or the container. |
| 292 | Unconfined = 1; |
| 293 | // A pre-defined profile on the node should be used. |
| 294 | Localhost = 2; |
| 295 | } |
| 296 | // Indicator which `ProfileType` should be applied. |
| 297 | ProfileType profile_type = 1; |
| 298 | // Indicates that a pre-defined profile on the node should be used. |
| 299 | // Must only be set if `ProfileType` is `Localhost`. |
| 300 | // For seccomp, it must be an absolute path to the seccomp profile. |
| 301 | // For AppArmor, this field is the AppArmor `<profile name>/` |
| 302 | string localhost_ref = 2; |
| 303 | } |
| 304 | |
| 305 | // LinuxPodSandboxConfig holds platform-specific configurations for Linux |
| 306 | // host platforms and Linux-based containers. |
| 307 | message LinuxPodSandboxConfig { |
| 308 | // Parent cgroup of the PodSandbox. |
| 309 | // The cgroupfs style syntax will be used, but the container runtime can |
| 310 | // convert it to systemd semantics if needed. |
| 311 | string cgroup_parent = 1; |
| 312 | // LinuxSandboxSecurityContext holds sandbox security attributes. |
| 313 | LinuxSandboxSecurityContext security_context = 2; |
| 314 | // Sysctls holds linux sysctls config for the sandbox. |
| 315 | map<string, string> sysctls = 3; |
| 316 | } |
| 317 | |
| 318 | // PodSandboxMetadata holds all necessary information for building the sandbox name. |
| 319 | // The container runtime is encouraged to expose the metadata associated with the |
| 320 | // PodSandbox in its user interface for better user experience. For example, |
| 321 | // the runtime can construct a unique PodSandboxName based on the metadata. |
| 322 | message PodSandboxMetadata { |
| 323 | // Pod name of the sandbox. Same as the pod name in the Pod ObjectMeta. |
| 324 | string name = 1; |
| 325 | // Pod UID of the sandbox. Same as the pod UID in the Pod ObjectMeta. |
| 326 | string uid = 2; |
| 327 | // Pod namespace of the sandbox. Same as the pod namespace in the Pod ObjectMeta. |
| 328 | string namespace = 3; |
| 329 | // Attempt number of creating the sandbox. Default: 0. |
| 330 | uint32 attempt = 4; |
| 331 | } |
| 332 | |
| 333 | // PodSandboxConfig holds all the required and optional fields for creating a |
| 334 | // sandbox. |
| 335 | message PodSandboxConfig { |
| 336 | // Metadata of the sandbox. This information will uniquely identify the |
| 337 | // sandbox, and the runtime should leverage this to ensure correct |
| 338 | // operation. The runtime may also use this information to improve UX, such |
| 339 | // as by constructing a readable name. |
| 340 | PodSandboxMetadata metadata = 1; |
| 341 | // Hostname of the sandbox. Hostname could only be empty when the pod |
| 342 | // network namespace is NODE. |
| 343 | string hostname = 2; |
| 344 | // Path to the directory on the host in which container log files are |
| 345 | // stored. |
| 346 | // By default the log of a container going into the LogDirectory will be |
| 347 | // hooked up to STDOUT and STDERR. However, the LogDirectory may contain |
| 348 | // binary log files with structured logging data from the individual |
| 349 | // containers. For example, the files might be newline separated JSON |
| 350 | // structured logs, systemd-journald journal files, gRPC trace files, etc. |
| 351 | // E.g., |
| 352 | // PodSandboxConfig.LogDirectory = `/var/log/pods/<podUID>/` |
| 353 | // ContainerConfig.LogPath = `containerName/Instance#.log` |
| 354 | // |
| 355 | // WARNING: Log management and how kubelet should interface with the |
| 356 | // container logs are under active discussion in |
| 357 | // https://issues.k8s.io/24677. There *may* be future change of direction |
| 358 | // for logging as the discussion carries on. |
| 359 | string log_directory = 3; |
| 360 | // DNS config for the sandbox. |
| 361 | DNSConfig dns_config = 4; |
| 362 | // Port mappings for the sandbox. |
| 363 | repeated PortMapping port_mappings = 5; |
| 364 | // Key-value pairs that may be used to scope and select individual resources. |
| 365 | map<string, string> labels = 6; |
| 366 | // Unstructured key-value map that may be set by the kubelet to store and |
| 367 | // retrieve arbitrary metadata. This will include any annotations set on a |
| 368 | // pod through the Kubernetes API. |
| 369 | // |
| 370 | // Annotations MUST NOT be altered by the runtime; the annotations stored |
| 371 | // here MUST be returned in the PodSandboxStatus associated with the pod |
| 372 | // this PodSandboxConfig creates. |
| 373 | // |
| 374 | // In general, in order to preserve a well-defined interface between the |
| 375 | // kubelet and the container runtime, annotations SHOULD NOT influence |
| 376 | // runtime behaviour. |
| 377 | // |
| 378 | // Annotations can also be useful for runtime authors to experiment with |
| 379 | // new features that are opaque to the Kubernetes APIs (both user-facing |
| 380 | // and the CRI). Whenever possible, however, runtime authors SHOULD |
| 381 | // consider proposing new typed fields for any new features instead. |
| 382 | map<string, string> annotations = 7; |
| 383 | // Optional configurations specific to Linux hosts. |
| 384 | LinuxPodSandboxConfig linux = 8; |
| 385 | // Optional configurations specific to Windows hosts. |
| 386 | WindowsPodSandboxConfig windows = 9; |
| 387 | } |
| 388 | |
| 389 | message RunPodSandboxRequest { |
| 390 | // Configuration for creating a PodSandbox. |
| 391 | PodSandboxConfig config = 1; |
| 392 | // Named runtime configuration to use for this PodSandbox. |
| 393 | // If the runtime handler is unknown, this request should be rejected. An |
| 394 | // empty string should select the default handler, equivalent to the |
| 395 | // behavior before this feature was added. |
| 396 | // See https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class |
| 397 | string runtime_handler = 2; |
| 398 | } |
| 399 | |
| 400 | message RunPodSandboxResponse { |
| 401 | // ID of the PodSandbox to run. |
| 402 | string pod_sandbox_id = 1; |
| 403 | } |
| 404 | |
| 405 | message StopPodSandboxRequest { |
| 406 | // ID of the PodSandbox to stop. |
| 407 | string pod_sandbox_id = 1; |
| 408 | } |
| 409 | |
| 410 | message StopPodSandboxResponse {} |
| 411 | |
| 412 | message RemovePodSandboxRequest { |
| 413 | // ID of the PodSandbox to remove. |
| 414 | string pod_sandbox_id = 1; |
| 415 | } |
| 416 | |
| 417 | message RemovePodSandboxResponse {} |
| 418 | |
| 419 | message PodSandboxStatusRequest { |
| 420 | // ID of the PodSandbox for which to retrieve status. |
| 421 | string pod_sandbox_id = 1; |
| 422 | // Verbose indicates whether to return extra information about the pod sandbox. |
| 423 | bool verbose = 2; |
| 424 | } |
| 425 | |
| 426 | // PodIP represents an ip of a Pod |
| 427 | message PodIP{ |
| 428 | // an ip is a string representation of an IPv4 or an IPv6 |
| 429 | string ip = 1; |
| 430 | } |
| 431 | // PodSandboxNetworkStatus is the status of the network for a PodSandbox. |
| 432 | message PodSandboxNetworkStatus { |
| 433 | // IP address of the PodSandbox. |
| 434 | string ip = 1; |
| 435 | // list of additional ips (not inclusive of PodSandboxNetworkStatus.Ip) of the PodSandBoxNetworkStatus |
| 436 | repeated PodIP additional_ips = 2; |
| 437 | } |
| 438 | |
| 439 | // Namespace contains paths to the namespaces. |
| 440 | message Namespace { |
| 441 | // Namespace options for Linux namespaces. |
| 442 | NamespaceOption options = 2; |
| 443 | } |
| 444 | |
| 445 | // LinuxSandboxStatus contains status specific to Linux sandboxes. |
| 446 | message LinuxPodSandboxStatus { |
| 447 | // Paths to the sandbox's namespaces. |
| 448 | Namespace namespaces = 1; |
| 449 | } |
| 450 | |
| 451 | enum PodSandboxState { |
| 452 | SANDBOX_READY = 0; |
| 453 | SANDBOX_NOTREADY = 1; |
| 454 | } |
| 455 | |
| 456 | // PodSandboxStatus contains the status of the PodSandbox. |
| 457 | message PodSandboxStatus { |
| 458 | // ID of the sandbox. |
| 459 | string id = 1; |
| 460 | // Metadata of the sandbox. |
| 461 | PodSandboxMetadata metadata = 2; |
| 462 | // State of the sandbox. |
| 463 | PodSandboxState state = 3; |
| 464 | // Creation timestamp of the sandbox in nanoseconds. Must be > 0. |
| 465 | int64 created_at = 4; |
| 466 | // Network contains network status if network is handled by the runtime. |
| 467 | PodSandboxNetworkStatus network = 5; |
| 468 | // Linux-specific status to a pod sandbox. |
| 469 | LinuxPodSandboxStatus linux = 6; |
| 470 | // Labels are key-value pairs that may be used to scope and select individual resources. |
| 471 | map<string, string> labels = 7; |
| 472 | // Unstructured key-value map holding arbitrary metadata. |
| 473 | // Annotations MUST NOT be altered by the runtime; the value of this field |
| 474 | // MUST be identical to that of the corresponding PodSandboxConfig used to |
| 475 | // instantiate the pod sandbox this status represents. |
| 476 | map<string, string> annotations = 8; |
| 477 | // runtime configuration used for this PodSandbox. |
| 478 | string runtime_handler = 9; |
| 479 | } |
| 480 | |
| 481 | message PodSandboxStatusResponse { |
| 482 | // Status of the PodSandbox. |
| 483 | PodSandboxStatus status = 1; |
| 484 | // Info is extra information of the PodSandbox. The key could be arbitrary string, and |
| 485 | // value should be in json format. The information could include anything useful for |
| 486 | // debug, e.g. network namespace for linux container based container runtime. |
| 487 | // It should only be returned non-empty when Verbose is true. |
| 488 | map<string, string> info = 2; |
| 489 | } |
| 490 | |
| 491 | // PodSandboxStateValue is the wrapper of PodSandboxState. |
| 492 | message PodSandboxStateValue { |
| 493 | // State of the sandbox. |
| 494 | PodSandboxState state = 1; |
| 495 | } |
| 496 | |
| 497 | // PodSandboxFilter is used to filter a list of PodSandboxes. |
| 498 | // All those fields are combined with 'AND' |
| 499 | message PodSandboxFilter { |
| 500 | // ID of the sandbox. |
| 501 | string id = 1; |
| 502 | // State of the sandbox. |
| 503 | PodSandboxStateValue state = 2; |
| 504 | // LabelSelector to select matches. |
| 505 | // Only api.MatchLabels is supported for now and the requirements |
| 506 | // are ANDed. MatchExpressions is not supported yet. |
| 507 | map<string, string> label_selector = 3; |
| 508 | } |
| 509 | |
| 510 | message ListPodSandboxRequest { |
| 511 | // PodSandboxFilter to filter a list of PodSandboxes. |
| 512 | PodSandboxFilter filter = 1; |
| 513 | } |
| 514 | |
| 515 | |
| 516 | // PodSandbox contains minimal information about a sandbox. |
| 517 | message PodSandbox { |
| 518 | // ID of the PodSandbox. |
| 519 | string id = 1; |
| 520 | // Metadata of the PodSandbox. |
| 521 | PodSandboxMetadata metadata = 2; |
| 522 | // State of the PodSandbox. |
| 523 | PodSandboxState state = 3; |
| 524 | // Creation timestamps of the PodSandbox in nanoseconds. Must be > 0. |
| 525 | int64 created_at = 4; |
| 526 | // Labels of the PodSandbox. |
| 527 | map<string, string> labels = 5; |
| 528 | // Unstructured key-value map holding arbitrary metadata. |
| 529 | // Annotations MUST NOT be altered by the runtime; the value of this field |
| 530 | // MUST be identical to that of the corresponding PodSandboxConfig used to |
| 531 | // instantiate this PodSandbox. |
| 532 | map<string, string> annotations = 6; |
| 533 | // runtime configuration used for this PodSandbox. |
| 534 | string runtime_handler = 7; |
| 535 | } |
| 536 | |
| 537 | message ListPodSandboxResponse { |
| 538 | // List of PodSandboxes. |
| 539 | repeated PodSandbox items = 1; |
| 540 | } |
| 541 | |
| 542 | // ImageSpec is an internal representation of an image. |
| 543 | message ImageSpec { |
| 544 | // Container's Image field (e.g. imageID or imageDigest). |
| 545 | string image = 1; |
| 546 | // Unstructured key-value map holding arbitrary metadata. |
| 547 | // ImageSpec Annotations can be used to help the runtime target specific |
| 548 | // images in multi-arch images. |
| 549 | map<string, string> annotations = 2; |
| 550 | } |
| 551 | |
| 552 | message KeyValue { |
| 553 | string key = 1; |
| 554 | string value = 2; |
| 555 | } |
| 556 | |
| 557 | // LinuxContainerResources specifies Linux specific configuration for |
| 558 | // resources. |
| 559 | // TODO: Consider using Resources from opencontainers/runtime-spec/specs-go |
| 560 | // directly. |
| 561 | message LinuxContainerResources { |
| 562 | // CPU CFS (Completely Fair Scheduler) period. Default: 0 (not specified). |
| 563 | int64 cpu_period = 1; |
| 564 | // CPU CFS (Completely Fair Scheduler) quota. Default: 0 (not specified). |
| 565 | int64 cpu_quota = 2; |
| 566 | // CPU shares (relative weight vs. other containers). Default: 0 (not specified). |
| 567 | int64 cpu_shares = 3; |
| 568 | // Memory limit in bytes. Default: 0 (not specified). |
| 569 | int64 memory_limit_in_bytes = 4; |
| 570 | // OOMScoreAdj adjusts the oom-killer score. Default: 0 (not specified). |
| 571 | int64 oom_score_adj = 5; |
| 572 | // CpusetCpus constrains the allowed set of logical CPUs. Default: "" (not specified). |
| 573 | string cpuset_cpus = 6; |
| 574 | // CpusetMems constrains the allowed set of memory nodes. Default: "" (not specified). |
| 575 | string cpuset_mems = 7; |
| 576 | // List of HugepageLimits to limit the HugeTLB usage of container per page size. Default: nil (not specified). |
| 577 | repeated HugepageLimit hugepage_limits = 8; |
| 578 | } |
| 579 | |
| 580 | // HugepageLimit corresponds to the file`hugetlb.<hugepagesize>.limit_in_byte` in container level cgroup. |
| 581 | // For example, `PageSize=1GB`, `Limit=1073741824` means setting `1073741824` bytes to hugetlb.1GB.limit_in_bytes. |
| 582 | message HugepageLimit { |
| 583 | // The value of PageSize has the format <size><unit-prefix>B (2MB, 1GB), |
| 584 | // and must match the <hugepagesize> of the corresponding control file found in `hugetlb.<hugepagesize>.limit_in_bytes`. |
| 585 | // The values of <unit-prefix> are intended to be parsed using base 1024("1KB" = 1024, "1MB" = 1048576, etc). |
| 586 | string page_size = 1; |
| 587 | // limit in bytes of hugepagesize HugeTLB usage. |
| 588 | uint64 limit = 2; |
| 589 | } |
| 590 | |
| 591 | // SELinuxOption are the labels to be applied to the container. |
| 592 | message SELinuxOption { |
| 593 | string user = 1; |
| 594 | string role = 2; |
| 595 | string type = 3; |
| 596 | string level = 4; |
| 597 | } |
| 598 | |
| 599 | // Capability contains the container capabilities to add or drop |
| 600 | message Capability { |
| 601 | // List of capabilities to add. |
| 602 | repeated string add_capabilities = 1; |
| 603 | // List of capabilities to drop. |
| 604 | repeated string drop_capabilities = 2; |
| 605 | } |
| 606 | |
| 607 | // LinuxContainerSecurityContext holds linux security configuration that will be applied to a container. |
| 608 | message LinuxContainerSecurityContext { |
| 609 | // Capabilities to add or drop. |
| 610 | Capability capabilities = 1; |
| 611 | // If set, run container in privileged mode. |
| 612 | // Privileged mode is incompatible with the following options. If |
| 613 | // privileged is set, the following features MAY have no effect: |
| 614 | // 1. capabilities |
| 615 | // 2. selinux_options |
| 616 | // 4. seccomp |
| 617 | // 5. apparmor |
| 618 | // |
| 619 | // Privileged mode implies the following specific options are applied: |
| 620 | // 1. All capabilities are added. |
| 621 | // 2. Sensitive paths, such as kernel module paths within sysfs, are not masked. |
| 622 | // 3. Any sysfs and procfs mounts are mounted RW. |
| 623 | // 4. AppArmor confinement is not applied. |
| 624 | // 5. Seccomp restrictions are not applied. |
| 625 | // 6. The device cgroup does not restrict access to any devices. |
| 626 | // 7. All devices from the host's /dev are available within the container. |
| 627 | // 8. SELinux restrictions are not applied (e.g. label=disabled). |
| 628 | bool privileged = 2; |
| 629 | // Configurations for the container's namespaces. |
| 630 | // Only used if the container uses namespace for isolation. |
| 631 | NamespaceOption namespace_options = 3; |
| 632 | // SELinux context to be optionally applied. |
| 633 | SELinuxOption selinux_options = 4; |
| 634 | // UID to run the container process as. Only one of run_as_user and |
| 635 | // run_as_username can be specified at a time. |
| 636 | Int64Value run_as_user = 5; |
| 637 | // GID to run the container process as. run_as_group should only be specified |
| 638 | // when run_as_user or run_as_username is specified; otherwise, the runtime |
| 639 | // MUST error. |
| 640 | Int64Value run_as_group = 12; |
| 641 | // User name to run the container process as. If specified, the user MUST |
| 642 | // exist in the container image (i.e. in the /etc/passwd inside the image), |
| 643 | // and be resolved there by the runtime; otherwise, the runtime MUST error. |
| 644 | string run_as_username = 6; |
| 645 | // If set, the root filesystem of the container is read-only. |
| 646 | bool readonly_rootfs = 7; |
| 647 | // List of groups applied to the first process run in the container, in |
| 648 | // addition to the container's primary GID. |
| 649 | repeated int64 supplemental_groups = 8; |
| 650 | // no_new_privs defines if the flag for no_new_privs should be set on the |
| 651 | // container. |
| 652 | bool no_new_privs = 11; |
| 653 | // masked_paths is a slice of paths that should be masked by the container |
| 654 | // runtime, this can be passed directly to the OCI spec. |
| 655 | repeated string masked_paths = 13; |
| 656 | // readonly_paths is a slice of paths that should be set as readonly by the |
| 657 | // container runtime, this can be passed directly to the OCI spec. |
| 658 | repeated string readonly_paths = 14; |
| 659 | // Seccomp profile for the container. |
| 660 | SecurityProfile seccomp = 15; |
| 661 | // AppArmor profile for the container. |
| 662 | SecurityProfile apparmor = 16; |
| 663 | // AppArmor profile for the container, candidate values are: |
| 664 | // * runtime/default: equivalent to not specifying a profile. |
| 665 | // * unconfined: no profiles are loaded |
| 666 | // * localhost/<profile_name>: profile loaded on the node |
| 667 | // (localhost) by name. The possible profile names are detailed at |
| 668 | // https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference |
| 669 | string apparmor_profile = 9 [deprecated=true]; |
| 670 | // Seccomp profile for the container, candidate values are: |
| 671 | // * runtime/default: the default profile for the container runtime |
| 672 | // * unconfined: unconfined profile, ie, no seccomp sandboxing |
| 673 | // * localhost/<full-path-to-profile>: the profile installed on the node. |
| 674 | // <full-path-to-profile> is the full path of the profile. |
| 675 | // Default: "", which is identical with unconfined. |
| 676 | string seccomp_profile_path = 10 [deprecated=true]; |
| 677 | } |
| 678 | |
| 679 | // LinuxContainerConfig contains platform-specific configuration for |
| 680 | // Linux-based containers. |
| 681 | message LinuxContainerConfig { |
| 682 | // Resources specification for the container. |
| 683 | LinuxContainerResources resources = 1; |
| 684 | // LinuxContainerSecurityContext configuration for the container. |
| 685 | LinuxContainerSecurityContext security_context = 2; |
| 686 | } |
| 687 | |
| 688 | // WindowsSandboxSecurityContext holds platform-specific configurations that will be |
| 689 | // applied to a sandbox. |
| 690 | // These settings will only apply to the sandbox container. |
| 691 | message WindowsSandboxSecurityContext { |
| 692 | // User name to run the container process as. If specified, the user MUST |
| 693 | // exist in the container image and be resolved there by the runtime; |
| 694 | // otherwise, the runtime MUST return error. |
| 695 | string run_as_username = 1; |
| 696 | |
| 697 | // The contents of the GMSA credential spec to use to run this container. |
| 698 | string credential_spec = 2; |
| 699 | |
| 700 | // Indicates whether the container be asked to run as a HostProcess container. |
| 701 | bool host_process = 3; |
| 702 | } |
| 703 | |
| 704 | // WindowsPodSandboxConfig holds platform-specific configurations for Windows |
| 705 | // host platforms and Windows-based containers. |
| 706 | message WindowsPodSandboxConfig { |
| 707 | // WindowsSandboxSecurityContext holds sandbox security attributes. |
| 708 | WindowsSandboxSecurityContext security_context = 1; |
| 709 | } |
| 710 | |
| 711 | // WindowsContainerSecurityContext holds windows security configuration that will be applied to a container. |
| 712 | message WindowsContainerSecurityContext { |
| 713 | // User name to run the container process as. If specified, the user MUST |
| 714 | // exist in the container image and be resolved there by the runtime; |
| 715 | // otherwise, the runtime MUST return error. |
| 716 | string run_as_username = 1; |
| 717 | |
| 718 | // The contents of the GMSA credential spec to use to run this container. |
| 719 | string credential_spec = 2; |
| 720 | |
| 721 | // Indicates whether a container is to be run as a HostProcess container. |
| 722 | bool host_process = 3; |
| 723 | } |
| 724 | |
| 725 | // WindowsContainerConfig contains platform-specific configuration for |
| 726 | // Windows-based containers. |
| 727 | message WindowsContainerConfig { |
| 728 | // Resources specification for the container. |
| 729 | WindowsContainerResources resources = 1; |
| 730 | // WindowsContainerSecurityContext configuration for the container. |
| 731 | WindowsContainerSecurityContext security_context = 2; |
| 732 | } |
| 733 | |
| 734 | // WindowsContainerResources specifies Windows specific configuration for |
| 735 | // resources. |
| 736 | message WindowsContainerResources { |
| 737 | // CPU shares (relative weight vs. other containers). Default: 0 (not specified). |
| 738 | int64 cpu_shares = 1; |
| 739 | // Number of CPUs available to the container. Default: 0 (not specified). |
| 740 | int64 cpu_count = 2; |
| 741 | // Specifies the portion of processor cycles that this container can use as a percentage times 100. |
| 742 | int64 cpu_maximum = 3; |
| 743 | // Memory limit in bytes. Default: 0 (not specified). |
| 744 | int64 memory_limit_in_bytes = 4; |
| 745 | } |
| 746 | |
| 747 | // ContainerMetadata holds all necessary information for building the container |
| 748 | // name. The container runtime is encouraged to expose the metadata in its user |
| 749 | // interface for better user experience. E.g., runtime can construct a unique |
| 750 | // container name based on the metadata. Note that (name, attempt) is unique |
| 751 | // within a sandbox for the entire lifetime of the sandbox. |
| 752 | message ContainerMetadata { |
| 753 | // Name of the container. Same as the container name in the PodSpec. |
| 754 | string name = 1; |
| 755 | // Attempt number of creating the container. Default: 0. |
| 756 | uint32 attempt = 2; |
| 757 | } |
| 758 | |
| 759 | // Device specifies a host device to mount into a container. |
| 760 | message Device { |
| 761 | // Path of the device within the container. |
| 762 | string container_path = 1; |
| 763 | // Path of the device on the host. |
| 764 | string host_path = 2; |
| 765 | // Cgroups permissions of the device, candidates are one or more of |
| 766 | // * r - allows container to read from the specified device. |
| 767 | // * w - allows container to write to the specified device. |
| 768 | // * m - allows container to create device files that do not yet exist. |
| 769 | string permissions = 3; |
| 770 | } |
| 771 | |
| 772 | // ContainerConfig holds all the required and optional fields for creating a |
| 773 | // container. |
| 774 | message ContainerConfig { |
| 775 | // Metadata of the container. This information will uniquely identify the |
| 776 | // container, and the runtime should leverage this to ensure correct |
| 777 | // operation. The runtime may also use this information to improve UX, such |
| 778 | // as by constructing a readable name. |
| 779 | ContainerMetadata metadata = 1 ; |
| 780 | // Image to use. |
| 781 | ImageSpec image = 2; |
| 782 | // Command to execute (i.e., entrypoint for docker) |
| 783 | repeated string command = 3; |
| 784 | // Args for the Command (i.e., command for docker) |
| 785 | repeated string args = 4; |
| 786 | // Current working directory of the command. |
| 787 | string working_dir = 5; |
| 788 | // List of environment variable to set in the container. |
| 789 | repeated KeyValue envs = 6; |
| 790 | // Mounts for the container. |
| 791 | repeated Mount mounts = 7; |
| 792 | // Devices for the container. |
| 793 | repeated Device devices = 8; |
| 794 | // Key-value pairs that may be used to scope and select individual resources. |
| 795 | // Label keys are of the form: |
| 796 | // label-key ::= prefixed-name | name |
| 797 | // prefixed-name ::= prefix '/' name |
| 798 | // prefix ::= DNS_SUBDOMAIN |
| 799 | // name ::= DNS_LABEL |
| 800 | map<string, string> labels = 9; |
| 801 | // Unstructured key-value map that may be used by the kubelet to store and |
| 802 | // retrieve arbitrary metadata. |
| 803 | // |
| 804 | // Annotations MUST NOT be altered by the runtime; the annotations stored |
| 805 | // here MUST be returned in the ContainerStatus associated with the container |
| 806 | // this ContainerConfig creates. |
| 807 | // |
| 808 | // In general, in order to preserve a well-defined interface between the |
| 809 | // kubelet and the container runtime, annotations SHOULD NOT influence |
| 810 | // runtime behaviour. |
| 811 | map<string, string> annotations = 10; |
| 812 | // Path relative to PodSandboxConfig.LogDirectory for container to store |
| 813 | // the log (STDOUT and STDERR) on the host. |
| 814 | // E.g., |
| 815 | // PodSandboxConfig.LogDirectory = `/var/log/pods/<podUID>/` |
| 816 | // ContainerConfig.LogPath = `containerName/Instance#.log` |
| 817 | // |
| 818 | // WARNING: Log management and how kubelet should interface with the |
| 819 | // container logs are under active discussion in |
| 820 | // https://issues.k8s.io/24677. There *may* be future change of direction |
| 821 | // for logging as the discussion carries on. |
| 822 | string log_path = 11; |
| 823 | |
| 824 | // Variables for interactive containers, these have very specialized |
| 825 | // use-cases (e.g. debugging). |
| 826 | // TODO: Determine if we need to continue supporting these fields that are |
| 827 | // part of Kubernetes's Container Spec. |
| 828 | bool stdin = 12; |
| 829 | bool stdin_once = 13; |
| 830 | bool tty = 14; |
| 831 | |
| 832 | // Configuration specific to Linux containers. |
| 833 | LinuxContainerConfig linux = 15; |
| 834 | // Configuration specific to Windows containers. |
| 835 | WindowsContainerConfig windows = 16; |
| 836 | } |
| 837 | |
| 838 | message CreateContainerRequest { |
| 839 | // ID of the PodSandbox in which the container should be created. |
| 840 | string pod_sandbox_id = 1; |
| 841 | // Config of the container. |
| 842 | ContainerConfig config = 2; |
| 843 | // Config of the PodSandbox. This is the same config that was passed |
| 844 | // to RunPodSandboxRequest to create the PodSandbox. It is passed again |
| 845 | // here just for easy reference. The PodSandboxConfig is immutable and |
| 846 | // remains the same throughout the lifetime of the pod. |
| 847 | PodSandboxConfig sandbox_config = 3; |
| 848 | } |
| 849 | |
| 850 | message CreateContainerResponse { |
| 851 | // ID of the created container. |
| 852 | string container_id = 1; |
| 853 | } |
| 854 | |
| 855 | message StartContainerRequest { |
| 856 | // ID of the container to start. |
| 857 | string container_id = 1; |
| 858 | } |
| 859 | |
| 860 | message StartContainerResponse {} |
| 861 | |
| 862 | message StopContainerRequest { |
| 863 | // ID of the container to stop. |
| 864 | string container_id = 1; |
| 865 | // Timeout in seconds to wait for the container to stop before forcibly |
| 866 | // terminating it. Default: 0 (forcibly terminate the container immediately) |
| 867 | int64 timeout = 2; |
| 868 | } |
| 869 | |
| 870 | message StopContainerResponse {} |
| 871 | |
| 872 | message RemoveContainerRequest { |
| 873 | // ID of the container to remove. |
| 874 | string container_id = 1; |
| 875 | } |
| 876 | |
| 877 | message RemoveContainerResponse {} |
| 878 | |
| 879 | enum ContainerState { |
| 880 | CONTAINER_CREATED = 0; |
| 881 | CONTAINER_RUNNING = 1; |
| 882 | CONTAINER_EXITED = 2; |
| 883 | CONTAINER_UNKNOWN = 3; |
| 884 | } |
| 885 | |
| 886 | // ContainerStateValue is the wrapper of ContainerState. |
| 887 | message ContainerStateValue { |
| 888 | // State of the container. |
| 889 | ContainerState state = 1; |
| 890 | } |
| 891 | |
| 892 | // ContainerFilter is used to filter containers. |
| 893 | // All those fields are combined with 'AND' |
| 894 | message ContainerFilter { |
| 895 | // ID of the container. |
| 896 | string id = 1; |
| 897 | // State of the container. |
| 898 | ContainerStateValue state = 2; |
| 899 | // ID of the PodSandbox. |
| 900 | string pod_sandbox_id = 3; |
| 901 | // LabelSelector to select matches. |
| 902 | // Only api.MatchLabels is supported for now and the requirements |
| 903 | // are ANDed. MatchExpressions is not supported yet. |
| 904 | map<string, string> label_selector = 4; |
| 905 | } |
| 906 | |
| 907 | message ListContainersRequest { |
| 908 | ContainerFilter filter = 1; |
| 909 | } |
| 910 | |
| 911 | // Container provides the runtime information for a container, such as ID, hash, |
| 912 | // state of the container. |
| 913 | message Container { |
| 914 | // ID of the container, used by the container runtime to identify |
| 915 | // a container. |
| 916 | string id = 1; |
| 917 | // ID of the sandbox to which this container belongs. |
| 918 | string pod_sandbox_id = 2; |
| 919 | // Metadata of the container. |
| 920 | ContainerMetadata metadata = 3; |
| 921 | // Spec of the image. |
| 922 | ImageSpec image = 4; |
| 923 | // Reference to the image in use. For most runtimes, this should be an |
| 924 | // image ID. |
| 925 | string image_ref = 5; |
| 926 | // State of the container. |
| 927 | ContainerState state = 6; |
| 928 | // Creation time of the container in nanoseconds. |
| 929 | int64 created_at = 7; |
| 930 | // Key-value pairs that may be used to scope and select individual resources. |
| 931 | map<string, string> labels = 8; |
| 932 | // Unstructured key-value map holding arbitrary metadata. |
| 933 | // Annotations MUST NOT be altered by the runtime; the value of this field |
| 934 | // MUST be identical to that of the corresponding ContainerConfig used to |
| 935 | // instantiate this Container. |
| 936 | map<string, string> annotations = 9; |
| 937 | } |
| 938 | |
| 939 | message ListContainersResponse { |
| 940 | // List of containers. |
| 941 | repeated Container containers = 1; |
| 942 | } |
| 943 | |
| 944 | message ContainerStatusRequest { |
| 945 | // ID of the container for which to retrieve status. |
| 946 | string container_id = 1; |
| 947 | // Verbose indicates whether to return extra information about the container. |
| 948 | bool verbose = 2; |
| 949 | } |
| 950 | |
| 951 | // ContainerStatus represents the status of a container. |
| 952 | message ContainerStatus { |
| 953 | // ID of the container. |
| 954 | string id = 1; |
| 955 | // Metadata of the container. |
| 956 | ContainerMetadata metadata = 2; |
| 957 | // Status of the container. |
| 958 | ContainerState state = 3; |
| 959 | // Creation time of the container in nanoseconds. |
| 960 | int64 created_at = 4; |
| 961 | // Start time of the container in nanoseconds. Default: 0 (not specified). |
| 962 | int64 started_at = 5; |
| 963 | // Finish time of the container in nanoseconds. Default: 0 (not specified). |
| 964 | int64 finished_at = 6; |
| 965 | // Exit code of the container. Only required when finished_at != 0. Default: 0. |
| 966 | int32 exit_code = 7; |
| 967 | // Spec of the image. |
| 968 | ImageSpec image = 8; |
| 969 | // Reference to the image in use. For most runtimes, this should be an |
| 970 | // image ID |
| 971 | string image_ref = 9; |
| 972 | // Brief CamelCase string explaining why container is in its current state. |
| 973 | string reason = 10; |
| 974 | // Human-readable message indicating details about why container is in its |
| 975 | // current state. |
| 976 | string message = 11; |
| 977 | // Key-value pairs that may be used to scope and select individual resources. |
| 978 | map<string,string> labels = 12; |
| 979 | // Unstructured key-value map holding arbitrary metadata. |
| 980 | // Annotations MUST NOT be altered by the runtime; the value of this field |
| 981 | // MUST be identical to that of the corresponding ContainerConfig used to |
| 982 | // instantiate the Container this status represents. |
| 983 | map<string,string> annotations = 13; |
| 984 | // Mounts for the container. |
| 985 | repeated Mount mounts = 14; |
| 986 | // Log path of container. |
| 987 | string log_path = 15; |
| 988 | } |
| 989 | |
| 990 | message ContainerStatusResponse { |
| 991 | // Status of the container. |
| 992 | ContainerStatus status = 1; |
| 993 | // Info is extra information of the Container. The key could be arbitrary string, and |
| 994 | // value should be in json format. The information could include anything useful for |
| 995 | // debug, e.g. pid for linux container based container runtime. |
| 996 | // It should only be returned non-empty when Verbose is true. |
| 997 | map<string, string> info = 2; |
| 998 | } |
| 999 | |
| 1000 | message UpdateContainerResourcesRequest { |
| 1001 | // ID of the container to update. |
| 1002 | string container_id = 1; |
| 1003 | // Resource configuration specific to Linux containers. |
| 1004 | LinuxContainerResources linux = 2; |
| 1005 | // Resource configuration specific to Windows containers. |
| 1006 | WindowsContainerResources windows = 3; |
| 1007 | // Unstructured key-value map holding arbitrary additional information for |
| 1008 | // container resources updating. This can be used for specifying experimental |
| 1009 | // resources to update or other options to use when updating the container. |
| 1010 | map<string, string> annotations = 4; |
| 1011 | } |
| 1012 | |
| 1013 | message UpdateContainerResourcesResponse {} |
| 1014 | |
| 1015 | message ExecSyncRequest { |
| 1016 | // ID of the container. |
| 1017 | string container_id = 1; |
| 1018 | // Command to execute. |
| 1019 | repeated string cmd = 2; |
| 1020 | // Timeout in seconds to stop the command. Default: 0 (run forever). |
| 1021 | int64 timeout = 3; |
| 1022 | } |
| 1023 | |
| 1024 | message ExecSyncResponse { |
| 1025 | // Captured command stdout output. |
| 1026 | bytes stdout = 1; |
| 1027 | // Captured command stderr output. |
| 1028 | bytes stderr = 2; |
| 1029 | // Exit code the command finished with. Default: 0 (success). |
| 1030 | int32 exit_code = 3; |
| 1031 | } |
| 1032 | |
| 1033 | message ExecRequest { |
| 1034 | // ID of the container in which to execute the command. |
| 1035 | string container_id = 1; |
| 1036 | // Command to execute. |
| 1037 | repeated string cmd = 2; |
| 1038 | // Whether to exec the command in a TTY. |
| 1039 | bool tty = 3; |
| 1040 | // Whether to stream stdin. |
| 1041 | // One of `stdin`, `stdout`, and `stderr` MUST be true. |
| 1042 | bool stdin = 4; |
| 1043 | // Whether to stream stdout. |
| 1044 | // One of `stdin`, `stdout`, and `stderr` MUST be true. |
| 1045 | bool stdout = 5; |
| 1046 | // Whether to stream stderr. |
| 1047 | // One of `stdin`, `stdout`, and `stderr` MUST be true. |
| 1048 | // If `tty` is true, `stderr` MUST be false. Multiplexing is not supported |
| 1049 | // in this case. The output of stdout and stderr will be combined to a |
| 1050 | // single stream. |
| 1051 | bool stderr = 6; |
| 1052 | } |
| 1053 | |
| 1054 | message ExecResponse { |
| 1055 | // Fully qualified URL of the exec streaming server. |
| 1056 | string url = 1; |
| 1057 | } |
| 1058 | |
| 1059 | message AttachRequest { |
| 1060 | // ID of the container to which to attach. |
| 1061 | string container_id = 1; |
| 1062 | // Whether to stream stdin. |
| 1063 | // One of `stdin`, `stdout`, and `stderr` MUST be true. |
| 1064 | bool stdin = 2; |
| 1065 | // Whether the process being attached is running in a TTY. |
| 1066 | // This must match the TTY setting in the ContainerConfig. |
| 1067 | bool tty = 3; |
| 1068 | // Whether to stream stdout. |
| 1069 | // One of `stdin`, `stdout`, and `stderr` MUST be true. |
| 1070 | bool stdout = 4; |
| 1071 | // Whether to stream stderr. |
| 1072 | // One of `stdin`, `stdout`, and `stderr` MUST be true. |
| 1073 | // If `tty` is true, `stderr` MUST be false. Multiplexing is not supported |
| 1074 | // in this case. The output of stdout and stderr will be combined to a |
| 1075 | // single stream. |
| 1076 | bool stderr = 5; |
| 1077 | } |
| 1078 | |
| 1079 | message AttachResponse { |
| 1080 | // Fully qualified URL of the attach streaming server. |
| 1081 | string url = 1; |
| 1082 | } |
| 1083 | |
| 1084 | message PortForwardRequest { |
| 1085 | // ID of the container to which to forward the port. |
| 1086 | string pod_sandbox_id = 1; |
| 1087 | // Port to forward. |
| 1088 | repeated int32 port = 2; |
| 1089 | } |
| 1090 | |
| 1091 | message PortForwardResponse { |
| 1092 | // Fully qualified URL of the port-forward streaming server. |
| 1093 | string url = 1; |
| 1094 | } |
| 1095 | |
| 1096 | message ImageFilter { |
| 1097 | // Spec of the image. |
| 1098 | ImageSpec image = 1; |
| 1099 | } |
| 1100 | |
| 1101 | message ListImagesRequest { |
| 1102 | // Filter to list images. |
| 1103 | ImageFilter filter = 1; |
| 1104 | } |
| 1105 | |
| 1106 | // Basic information about a container image. |
| 1107 | message Image { |
| 1108 | // ID of the image. |
| 1109 | string id = 1; |
| 1110 | // Other names by which this image is known. |
| 1111 | repeated string repo_tags = 2; |
| 1112 | // Digests by which this image is known. |
| 1113 | repeated string repo_digests = 3; |
| 1114 | // Size of the image in bytes. Must be > 0. |
| 1115 | uint64 size = 4; |
| 1116 | // UID that will run the command(s). This is used as a default if no user is |
| 1117 | // specified when creating the container. UID and the following user name |
| 1118 | // are mutually exclusive. |
| 1119 | Int64Value uid = 5; |
| 1120 | // User name that will run the command(s). This is used if UID is not set |
| 1121 | // and no user is specified when creating container. |
| 1122 | string username = 6; |
| 1123 | // ImageSpec for image which includes annotations |
| 1124 | ImageSpec spec = 7; |
| 1125 | } |
| 1126 | |
| 1127 | message ListImagesResponse { |
| 1128 | // List of images. |
| 1129 | repeated Image images = 1; |
| 1130 | } |
| 1131 | |
| 1132 | message ImageStatusRequest { |
| 1133 | // Spec of the image. |
| 1134 | ImageSpec image = 1; |
| 1135 | // Verbose indicates whether to return extra information about the image. |
| 1136 | bool verbose = 2; |
| 1137 | } |
| 1138 | |
| 1139 | message ImageStatusResponse { |
| 1140 | // Status of the image. |
| 1141 | Image image = 1; |
| 1142 | // Info is extra information of the Image. The key could be arbitrary string, and |
| 1143 | // value should be in json format. The information could include anything useful |
| 1144 | // for debug, e.g. image config for oci image based container runtime. |
| 1145 | // It should only be returned non-empty when Verbose is true. |
| 1146 | map<string, string> info = 2; |
| 1147 | } |
| 1148 | |
| 1149 | // AuthConfig contains authorization information for connecting to a registry. |
| 1150 | message AuthConfig { |
| 1151 | string username = 1; |
| 1152 | string password = 2; |
| 1153 | string auth = 3; |
| 1154 | string server_address = 4; |
| 1155 | // IdentityToken is used to authenticate the user and get |
| 1156 | // an access token for the registry. |
| 1157 | string identity_token = 5; |
| 1158 | // RegistryToken is a bearer token to be sent to a registry |
| 1159 | string registry_token = 6; |
| 1160 | } |
| 1161 | |
| 1162 | message PullImageRequest { |
| 1163 | // Spec of the image. |
| 1164 | ImageSpec image = 1; |
| 1165 | // Authentication configuration for pulling the image. |
| 1166 | AuthConfig auth = 2; |
| 1167 | // Config of the PodSandbox, which is used to pull image in PodSandbox context. |
| 1168 | PodSandboxConfig sandbox_config = 3; |
| 1169 | } |
| 1170 | |
| 1171 | message PullImageResponse { |
| 1172 | // Reference to the image in use. For most runtimes, this should be an |
| 1173 | // image ID or digest. |
| 1174 | string image_ref = 1; |
| 1175 | } |
| 1176 | |
| 1177 | message RemoveImageRequest { |
| 1178 | // Spec of the image to remove. |
| 1179 | ImageSpec image = 1; |
| 1180 | } |
| 1181 | |
| 1182 | message RemoveImageResponse {} |
| 1183 | |
| 1184 | message NetworkConfig { |
| 1185 | // CIDR to use for pod IP addresses. If the CIDR is empty, runtimes |
| 1186 | // should omit it. |
| 1187 | string pod_cidr = 1; |
| 1188 | } |
| 1189 | |
| 1190 | message RuntimeConfig { |
| 1191 | NetworkConfig network_config = 1; |
| 1192 | } |
| 1193 | |
| 1194 | message UpdateRuntimeConfigRequest { |
| 1195 | RuntimeConfig runtime_config = 1; |
| 1196 | } |
| 1197 | |
| 1198 | message UpdateRuntimeConfigResponse {} |
| 1199 | |
| 1200 | // RuntimeCondition contains condition information for the runtime. |
| 1201 | // There are 2 kinds of runtime conditions: |
| 1202 | // 1. Required conditions: Conditions are required for kubelet to work |
| 1203 | // properly. If any required condition is unmet, the node will be not ready. |
| 1204 | // The required conditions include: |
| 1205 | // * RuntimeReady: RuntimeReady means the runtime is up and ready to accept |
| 1206 | // basic containers e.g. container only needs host network. |
| 1207 | // * NetworkReady: NetworkReady means the runtime network is up and ready to |
| 1208 | // accept containers which require container network. |
| 1209 | // 2. Optional conditions: Conditions are informative to the user, but kubelet |
| 1210 | // will not rely on. Since condition type is an arbitrary string, all conditions |
| 1211 | // not required are optional. These conditions will be exposed to users to help |
| 1212 | // them understand the status of the system. |
| 1213 | message RuntimeCondition { |
| 1214 | // Type of runtime condition. |
| 1215 | string type = 1; |
| 1216 | // Status of the condition, one of true/false. Default: false. |
| 1217 | bool status = 2; |
| 1218 | // Brief CamelCase string containing reason for the condition's last transition. |
| 1219 | string reason = 3; |
| 1220 | // Human-readable message indicating details about last transition. |
| 1221 | string message = 4; |
| 1222 | } |
| 1223 | |
| 1224 | // RuntimeStatus is information about the current status of the runtime. |
| 1225 | message RuntimeStatus { |
| 1226 | // List of current observed runtime conditions. |
| 1227 | repeated RuntimeCondition conditions = 1; |
| 1228 | } |
| 1229 | |
| 1230 | message StatusRequest { |
| 1231 | // Verbose indicates whether to return extra information about the runtime. |
| 1232 | bool verbose = 1; |
| 1233 | } |
| 1234 | |
| 1235 | message StatusResponse { |
| 1236 | // Status of the Runtime. |
| 1237 | RuntimeStatus status = 1; |
| 1238 | // Info is extra information of the Runtime. The key could be arbitrary string, and |
| 1239 | // value should be in json format. The information could include anything useful for |
| 1240 | // debug, e.g. plugins used by the container runtime. |
| 1241 | // It should only be returned non-empty when Verbose is true. |
| 1242 | map<string, string> info = 2; |
| 1243 | } |
| 1244 | |
| 1245 | message ImageFsInfoRequest {} |
| 1246 | |
| 1247 | // UInt64Value is the wrapper of uint64. |
| 1248 | message UInt64Value { |
| 1249 | // The value. |
| 1250 | uint64 value = 1; |
| 1251 | } |
| 1252 | |
| 1253 | // FilesystemIdentifier uniquely identify the filesystem. |
| 1254 | message FilesystemIdentifier{ |
| 1255 | // Mountpoint of a filesystem. |
| 1256 | string mountpoint = 1; |
| 1257 | } |
| 1258 | |
| 1259 | // FilesystemUsage provides the filesystem usage information. |
| 1260 | message FilesystemUsage { |
| 1261 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. |
| 1262 | int64 timestamp = 1; |
| 1263 | // The unique identifier of the filesystem. |
| 1264 | FilesystemIdentifier fs_id = 2; |
| 1265 | // UsedBytes represents the bytes used for images on the filesystem. |
| 1266 | // This may differ from the total bytes used on the filesystem and may not |
| 1267 | // equal CapacityBytes - AvailableBytes. |
| 1268 | UInt64Value used_bytes = 3; |
| 1269 | // InodesUsed represents the inodes used by the images. |
| 1270 | // This may not equal InodesCapacity - InodesAvailable because the underlying |
| 1271 | // filesystem may also be used for purposes other than storing images. |
| 1272 | UInt64Value inodes_used = 4; |
| 1273 | } |
| 1274 | |
| 1275 | message ImageFsInfoResponse { |
| 1276 | // Information of image filesystem(s). |
| 1277 | repeated FilesystemUsage image_filesystems = 1; |
| 1278 | } |
| 1279 | |
| 1280 | message ContainerStatsRequest{ |
| 1281 | // ID of the container for which to retrieve stats. |
| 1282 | string container_id = 1; |
| 1283 | } |
| 1284 | |
| 1285 | message ContainerStatsResponse { |
| 1286 | // Stats of the container. |
| 1287 | ContainerStats stats = 1; |
| 1288 | } |
| 1289 | |
| 1290 | message ListContainerStatsRequest{ |
| 1291 | // Filter for the list request. |
| 1292 | ContainerStatsFilter filter = 1; |
| 1293 | } |
| 1294 | |
| 1295 | // ContainerStatsFilter is used to filter containers. |
| 1296 | // All those fields are combined with 'AND' |
| 1297 | message ContainerStatsFilter { |
| 1298 | // ID of the container. |
| 1299 | string id = 1; |
| 1300 | // ID of the PodSandbox. |
| 1301 | string pod_sandbox_id = 2; |
| 1302 | // LabelSelector to select matches. |
| 1303 | // Only api.MatchLabels is supported for now and the requirements |
| 1304 | // are ANDed. MatchExpressions is not supported yet. |
| 1305 | map<string, string> label_selector = 3; |
| 1306 | } |
| 1307 | |
| 1308 | message ListContainerStatsResponse { |
| 1309 | // Stats of the container. |
| 1310 | repeated ContainerStats stats = 1; |
| 1311 | } |
| 1312 | |
| 1313 | // ContainerAttributes provides basic information of the container. |
| 1314 | message ContainerAttributes { |
| 1315 | // ID of the container. |
| 1316 | string id = 1; |
| 1317 | // Metadata of the container. |
| 1318 | ContainerMetadata metadata = 2; |
| 1319 | // Key-value pairs that may be used to scope and select individual resources. |
| 1320 | map<string,string> labels = 3; |
| 1321 | // Unstructured key-value map holding arbitrary metadata. |
| 1322 | // Annotations MUST NOT be altered by the runtime; the value of this field |
| 1323 | // MUST be identical to that of the corresponding ContainerConfig used to |
| 1324 | // instantiate the Container this status represents. |
| 1325 | map<string,string> annotations = 4; |
| 1326 | } |
| 1327 | |
| 1328 | // ContainerStats provides the resource usage statistics for a container. |
| 1329 | message ContainerStats { |
| 1330 | // Information of the container. |
| 1331 | ContainerAttributes attributes = 1; |
| 1332 | // CPU usage gathered from the container. |
| 1333 | CpuUsage cpu = 2; |
| 1334 | // Memory usage gathered from the container. |
| 1335 | MemoryUsage memory = 3; |
| 1336 | // Usage of the writable layer. |
| 1337 | FilesystemUsage writable_layer = 4; |
| 1338 | } |
| 1339 | |
| 1340 | // CpuUsage provides the CPU usage information. |
| 1341 | message CpuUsage { |
| 1342 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. |
| 1343 | int64 timestamp = 1; |
| 1344 | // Cumulative CPU usage (sum across all cores) since object creation. |
| 1345 | UInt64Value usage_core_nano_seconds = 2; |
| 1346 | } |
| 1347 | |
| 1348 | // MemoryUsage provides the memory usage information. |
| 1349 | message MemoryUsage { |
| 1350 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. |
| 1351 | int64 timestamp = 1; |
| 1352 | // The amount of working set memory in bytes. |
| 1353 | UInt64Value working_set_bytes = 2; |
| 1354 | } |
| 1355 | |
| 1356 | message ReopenContainerLogRequest { |
| 1357 | // ID of the container for which to reopen the log. |
| 1358 | string container_id = 1; |
| 1359 | } |
| 1360 | |
| 1361 | message ReopenContainerLogResponse{ |
| 1362 | } |
| 1363 | |