v1beta1

package
v0.35.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 17, 2025 License: Apache-2.0 Imports: 11 Imported by: 2,014

Documentation

Index

Constants

View Source 
const (
	// Signs certificates that will be honored as client-certs by the
	// kube-apiserver. Never auto-approved by kube-controller-manager.
	KubeAPIServerClientSignerName = "kubernetes.io/kube-apiserver-client"

	// Signs client certificates that will be honored as client-certs by the
	// kube-apiserver for a kubelet.
	// May be auto-approved by kube-controller-manager.
	KubeAPIServerClientKubeletSignerName = "kubernetes.io/kube-apiserver-client-kubelet"

	// Signs serving certificates that are honored as a valid kubelet serving
	// certificate by the kube-apiserver, but has no other guarantees.
	KubeletServingSignerName = "kubernetes.io/kubelet-serving"

	// Has no guarantees for trust at all. Some distributions may honor these
	// as client certs, but that behavior is not standard kubernetes behavior.
	LegacyUnknownSignerName = "kubernetes.io/legacy-unknown"
)

Built in signerName values that are honoured by kube-controller-manager. None of these usages are related to ServiceAccount token secrets `.data[ca.crt]` in any way.

View Source 
const (
	// Denied indicates the request was denied by the signer.
	PodCertificateRequestConditionTypeDenied string = "Denied"
	// Failed indicates the signer failed to issue the certificate.
	PodCertificateRequestConditionTypeFailed string = "Failed"
	// Issued indicates the certificate has been issued.
	PodCertificateRequestConditionTypeIssued string = "Issued"
)

Well-known condition types for PodCertificateRequests

View Source 
const (
	// UnsupportedKeyType should be set on "Denied" conditions when the signer
	// doesn't support the key type of publicKey.
	PodCertificateRequestConditionUnsupportedKeyType string = "UnsupportedKeyType"

	// InvalidUnverifiedUserAnnotations should be set on "Denied" conditions when the signer
	// does not recognize one of the keys passed in userConfig, or if the signer
	// otherwise considers the userConfig of the request to be invalid.
	PodCertificateRequestConditionInvalidUserConfig string = "InvalidUnverifiedUserAnnotations"
)

Well-known condition reasons for PodCertificateRequests

View Source 
const GroupName = "certificates.k8s.io"

GroupName is the group name use in this package

Variables

View Source 
var (
	ErrInvalidLengthGenerated        = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowGenerated          = fmt.Errorf("proto: integer overflow")
	ErrUnexpectedEndOfGroupGenerated = fmt.Errorf("proto: unexpected end of group")
)
View Source 
var (
	// TODO: move SchemeBuilder with zz_generated.deepcopy.go to k8s.io/api.
	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)

	AddToScheme = localSchemeBuilder.AddToScheme
)
View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}

SchemeGroupVersion is group version used to register these objects

Functions

func Kind 

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns a Group qualified GroupKind

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type CertificateSigningRequest 

type CertificateSigningRequest struct {
	metav1.TypeMeta `json:",inline"`
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// spec contains the certificate request, and is immutable after creation.
	// Only the request, signerName, expirationSeconds, and usages fields can be set on creation.
	// Other fields are derived by Kubernetes and cannot be modified by users.
	Spec CertificateSigningRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`

	// Derived information about the request.
	// +optional
	Status CertificateSigningRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
}

Describes a certificate signing request +k8s:supportsSubresource=/status +k8s:supportsSubresource=/approval

func (*CertificateSigningRequest) APILifecycleDeprecated added in v0.19.0 

func (in *CertificateSigningRequest) APILifecycleDeprecated() (major, minor int)

APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or "k8s:prerelease-lifecycle-gen:introduced" plus three minor.

func (*CertificateSigningRequest) APILifecycleIntroduced added in v0.19.0 

func (in *CertificateSigningRequest) APILifecycleIntroduced() (major, minor int)

APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.

func (*CertificateSigningRequest) APILifecycleRemoved added in v0.19.0 

func (in *CertificateSigningRequest) APILifecycleRemoved() (major, minor int)

APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.

func (*CertificateSigningRequest) APILifecycleReplacement added in v0.19.0 

func (in *CertificateSigningRequest) APILifecycleReplacement() schema.GroupVersionKind

APILifecycleReplacement is an autogenerated function, returning the group, version, and kind that should be used instead of this deprecated type. It is controlled by "k8s:prerelease-lifecycle-gen:replacement=<group>,<version>,<kind>" tags in types.go.

func (*CertificateSigningRequest) DeepCopy 

func (in *CertificateSigningRequest) DeepCopy() *CertificateSigningRequest

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequest.

func (*CertificateSigningRequest) DeepCopyInto 

func (in *CertificateSigningRequest) DeepCopyInto(out *CertificateSigningRequest)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateSigningRequest) DeepCopyObject 

func (in *CertificateSigningRequest) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*CertificateSigningRequest) Marshal 

func (m *CertificateSigningRequest) Marshal() (dAtA []byte, err error)

func (*CertificateSigningRequest) MarshalTo 

func (m *CertificateSigningRequest) MarshalTo(dAtA []byte) (int, error)

func (*CertificateSigningRequest) MarshalToSizedBuffer added in v0.16.4 

func (m *CertificateSigningRequest) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (CertificateSigningRequest) OpenAPIModelName added in v0.35.0 

func (in CertificateSigningRequest) OpenAPIModelName() string

OpenAPIModelName returns the OpenAPI model name for this type.

func (*CertificateSigningRequest) Reset 

func (m *CertificateSigningRequest) Reset()

func (*CertificateSigningRequest) Size 

func (m *CertificateSigningRequest) Size() (n int)

func (*CertificateSigningRequest) String 

func (this *CertificateSigningRequest) String() string

func (CertificateSigningRequest) SwaggerDoc 

func (CertificateSigningRequest) SwaggerDoc() map[string]string

func (*CertificateSigningRequest) Unmarshal 

func (m *CertificateSigningRequest) Unmarshal(dAtA []byte) error

type CertificateSigningRequestCondition 

type CertificateSigningRequestCondition struct {
	// type of the condition. Known conditions include "Approved", "Denied", and "Failed".
	Type RequestConditionType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=RequestConditionType"`
	// Status of the condition, one of True, False, Unknown.
	// Approved, Denied, and Failed conditions may not be "False" or "Unknown".
	// Defaults to "True".
	// If unset, should be treated as "True".
	// +optional
	Status v1.ConditionStatus `json:"status" protobuf:"bytes,6,opt,name=status,casttype=k8s.io/api/core/v1.ConditionStatus"`
	// brief reason for the request state
	// +optional
	Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"`
	// human readable message with details about the request state
	// +optional
	Message string `json:"message,omitempty" protobuf:"bytes,3,opt,name=message"`
	// timestamp for the last update to this condition
	// +optional
	LastUpdateTime metav1.Time `json:"lastUpdateTime,omitempty" protobuf:"bytes,4,opt,name=lastUpdateTime"`
	// lastTransitionTime is the time the condition last transitioned from one status to another.
	// If unset, when a new condition type is added or an existing condition's status is changed,
	// the server defaults this to the current time.
	// +optional
	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty" protobuf:"bytes,5,opt,name=lastTransitionTime"`
}

func (*CertificateSigningRequestCondition) DeepCopy 

func (in *CertificateSigningRequestCondition) DeepCopy() *CertificateSigningRequestCondition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequestCondition.

func (*CertificateSigningRequestCondition) DeepCopyInto 

func (in *CertificateSigningRequestCondition) DeepCopyInto(out *CertificateSigningRequestCondition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateSigningRequestCondition) Marshal 

func (m *CertificateSigningRequestCondition) Marshal() (dAtA []byte, err error)

func (*CertificateSigningRequestCondition) MarshalTo 

func (m *CertificateSigningRequestCondition) MarshalTo(dAtA []byte) (int, error)

func (*CertificateSigningRequestCondition) MarshalToSizedBuffer added in v0.16.4 

func (m *CertificateSigningRequestCondition) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (CertificateSigningRequestCondition) OpenAPIModelName added in v0.35.0 

func (in CertificateSigningRequestCondition) OpenAPIModelName() string

OpenAPIModelName returns the OpenAPI model name for this type.

func (*CertificateSigningRequestCondition) Reset 

func (m *CertificateSigningRequestCondition) Reset()

func (*CertificateSigningRequestCondition) Size 

func (m *CertificateSigningRequestCondition) Size() (n int)

func (*CertificateSigningRequestCondition) String 

func (this *CertificateSigningRequestCondition) String() string

func (CertificateSigningRequestCondition) SwaggerDoc 

func (CertificateSigningRequestCondition) SwaggerDoc() map[string]string

func (*CertificateSigningRequestCondition) Unmarshal 

func (m *CertificateSigningRequestCondition) Unmarshal(dAtA []byte) error

type CertificateSigningRequestList 

type CertificateSigningRequestList struct {
	metav1.TypeMeta `json:",inline"`
	// +optional
	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	Items []CertificateSigningRequest `json:"items" protobuf:"bytes,2,rep,name=items"`
}

func (*CertificateSigningRequestList) APILifecycleDeprecated added in v0.19.0 

func (in *CertificateSigningRequestList) APILifecycleDeprecated() (major, minor int)

APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or "k8s:prerelease-lifecycle-gen:introduced" plus three minor.

func (*CertificateSigningRequestList) APILifecycleIntroduced added in v0.19.0 

func (in *CertificateSigningRequestList) APILifecycleIntroduced() (major, minor int)

APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.

func (*CertificateSigningRequestList) APILifecycleRemoved added in v0.19.0 

func (in *CertificateSigningRequestList) APILifecycleRemoved() (major, minor int)

APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.

func (*CertificateSigningRequestList) APILifecycleReplacement added in v0.19.0 

func (in *CertificateSigningRequestList) APILifecycleReplacement() schema.GroupVersionKind

APILifecycleReplacement is an autogenerated function, returning the group, version, and kind that should be used instead of this deprecated type. It is controlled by "k8s:prerelease-lifecycle-gen:replacement=<group>,<version>,<kind>" tags in types.go.

func (*CertificateSigningRequestList) DeepCopy 

func (in *CertificateSigningRequestList) DeepCopy() *CertificateSigningRequestList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequestList.

func (*CertificateSigningRequestList) DeepCopyInto 

func (in *CertificateSigningRequestList) DeepCopyInto(out *CertificateSigningRequestList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateSigningRequestList) DeepCopyObject 

func (in *CertificateSigningRequestList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*CertificateSigningRequestList) Marshal 

func (m *CertificateSigningRequestList) Marshal() (dAtA []byte, err error)

func (*CertificateSigningRequestList) MarshalTo 

func (m *CertificateSigningRequestList) MarshalTo(dAtA []byte) (int, error)

func (*CertificateSigningRequestList) MarshalToSizedBuffer added in v0.16.4 

func (m *CertificateSigningRequestList) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (CertificateSigningRequestList) OpenAPIModelName added in v0.35.0 

func (in CertificateSigningRequestList) OpenAPIModelName() string

OpenAPIModelName returns the OpenAPI model name for this type.

func (*CertificateSigningRequestList) Reset 

func (m *CertificateSigningRequestList) Reset()

func (*CertificateSigningRequestList) Size 

func (m *CertificateSigningRequestList) Size() (n int)

func (*CertificateSigningRequestList) String 

func (this *CertificateSigningRequestList) String() string

func (*CertificateSigningRequestList) Unmarshal 

func (m *CertificateSigningRequestList) Unmarshal(dAtA []byte) error

type CertificateSigningRequestSpec 

type CertificateSigningRequestSpec struct {
	// Base64-encoded PKCS#10 CSR data
	Request []byte `json:"request" protobuf:"bytes,1,opt,name=request"`

	// Requested signer for the request. It is a qualified name in the form:
	// `scope-hostname.io/name`.
	// If empty, it will be defaulted:
	//  1. If it's a kubelet client certificate, it is assigned
	//     "kubernetes.io/kube-apiserver-client-kubelet".
	//  2. If it's a kubelet serving certificate, it is assigned
	//     "kubernetes.io/kubelet-serving".
	//  3. Otherwise, it is assigned "kubernetes.io/legacy-unknown".
	// Distribution of trust for signers happens out of band.
	// You can select on this field using `spec.signerName`.
	// +optional
	SignerName *string `json:"signerName,omitempty" protobuf:"bytes,7,opt,name=signerName"`

	// expirationSeconds is the requested duration of validity of the issued
	// certificate. The certificate signer may issue a certificate with a different
	// validity duration so a client must check the delta between the notBefore and
	// and notAfter fields in the issued certificate to determine the actual duration.
	//
	// The v1.22+ in-tree implementations of the well-known Kubernetes signers will
	// honor this field as long as the requested duration is not greater than the
	// maximum duration they will honor per the --cluster-signing-duration CLI
	// flag to the Kubernetes controller manager.
	//
	// Certificate signers may not honor this field for various reasons:
	//
	//   1. Old signer that is unaware of the field (such as the in-tree
	//      implementations prior to v1.22)
	//   2. Signer whose configured maximum is shorter than the requested duration
	//   3. Signer whose configured minimum is longer than the requested duration
	//
	// The minimum valid value for expirationSeconds is 600, i.e. 10 minutes.
	//
	// +optional
	ExpirationSeconds *int32 `json:"expirationSeconds,omitempty" protobuf:"varint,8,opt,name=expirationSeconds"`

	// allowedUsages specifies a set of usage contexts the key will be
	// valid for.
	// See:
	//	https://tools.ietf.org/html/rfc5280#section-4.2.1.3
	//	https://tools.ietf.org/html/rfc5280#section-4.2.1.12
	//
	// Valid values are:
	//  "signing",
	//  "digital signature",
	//  "content commitment",
	//  "key encipherment",
	//  "key agreement",
	//  "data encipherment",
	//  "cert sign",
	//  "crl sign",
	//  "encipher only",
	//  "decipher only",
	//  "any",
	//  "server auth",
	//  "client auth",
	//  "code signing",
	//  "email protection",
	//  "s/mime",
	//  "ipsec end system",
	//  "ipsec tunnel",
	//  "ipsec user",
	//  "timestamping",
	//  "ocsp signing",
	//  "microsoft sgc",
	//  "netscape sgc"
	// +listType=atomic
	Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=usages"`

	// Information about the requesting user.
	// See user.Info interface for details.
	// +optional
	Username string `json:"username,omitempty" protobuf:"bytes,2,opt,name=username"`
	// UID information about the requesting user.
	// See user.Info interface for details.
	// +optional
	UID string `json:"uid,omitempty" protobuf:"bytes,3,opt,name=uid"`
	// Group information about the requesting user.
	// See user.Info interface for details.
	// +listType=atomic
	// +optional
	Groups []string `json:"groups,omitempty" protobuf:"bytes,4,rep,name=groups"`
	// Extra information about the requesting user.
	// See user.Info interface for details.
	// +optional
	Extra map[string]ExtraValue `json:"extra,omitempty" protobuf:"bytes,6,rep,name=extra"`
}

CertificateSigningRequestSpec contains the certificate request.

func (*CertificateSigningRequestSpec) DeepCopy 

func (in *CertificateSigningRequestSpec) DeepCopy() *CertificateSigningRequestSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequestSpec.

func (*CertificateSigningRequestSpec) DeepCopyInto 

func (in *CertificateSigningRequestSpec) DeepCopyInto(out *CertificateSigningRequestSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateSigningRequestSpec) Marshal 

func (m *CertificateSigningRequestSpec) Marshal() (dAtA []byte, err error)

func (*CertificateSigningRequestSpec) MarshalTo 

func (m *CertificateSigningRequestSpec) MarshalTo(dAtA []byte) (int, error)

func (*CertificateSigningRequestSpec) MarshalToSizedBuffer added in v0.16.4 

func (m *CertificateSigningRequestSpec) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (CertificateSigningRequestSpec) OpenAPIModelName added in v0.35.0 

func (in CertificateSigningRequestSpec) OpenAPIModelName() string

OpenAPIModelName returns the OpenAPI model name for this type.

func (*CertificateSigningRequestSpec) Reset 

func (m *CertificateSigningRequestSpec) Reset()

func (*CertificateSigningRequestSpec) Size 

func (m *CertificateSigningRequestSpec) Size() (n int)

func (*CertificateSigningRequestSpec) String 

func (this *CertificateSigningRequestSpec) String() string

func (CertificateSigningRequestSpec) SwaggerDoc 

func (CertificateSigningRequestSpec) SwaggerDoc() map[string]string

func (*CertificateSigningRequestSpec) Unmarshal 

func (m *CertificateSigningRequestSpec) Unmarshal(dAtA []byte) error

type CertificateSigningRequestStatus 

type CertificateSigningRequestStatus struct {
	// Conditions applied to the request, such as approval or denial.
	// +listType=map
	// +listMapKey=type
	// +optional
	// +k8s:listType=map
	// +k8s:listMapKey=type
	// +k8s:customUnique
	// +k8s:optional
	// +k8s:item(type: "Approved")=+k8s:zeroOrOneOfMember
	// +k8s:item(type: "Denied")=+k8s:zeroOrOneOfMember
	Conditions []CertificateSigningRequestCondition `json:"conditions,omitempty" protobuf:"bytes,1,rep,name=conditions"`

	// If request was approved, the controller will place the issued certificate here.
	// +optional
	Certificate []byte `json:"certificate,omitempty" protobuf:"bytes,2,opt,name=certificate"`
}

func (*CertificateSigningRequestStatus) DeepCopy 

func (in *CertificateSigningRequestStatus) DeepCopy() *CertificateSigningRequestStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSigningRequestStatus.

func (*CertificateSigningRequestStatus) DeepCopyInto 

func (in *CertificateSigningRequestStatus) DeepCopyInto(out *CertificateSigningRequestStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CertificateSigningRequestStatus) Marshal 

func (m *CertificateSigningRequestStatus) Marshal() (dAtA []byte, err error)

func (*CertificateSigningRequestStatus) MarshalTo 

func (m *CertificateSigningRequestStatus) MarshalTo(dAtA []byte) (int, error)

func (*CertificateSigningRequestStatus) MarshalToSizedBuffer added in v0.16.4 

func (m *CertificateSigningRequestStatus) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (CertificateSigningRequestStatus) OpenAPIModelName added in v0.35.0 

func (in CertificateSigningRequestStatus) OpenAPIModelName() string

OpenAPIModelName returns the OpenAPI model name for this type.

func (*CertificateSigningRequestStatus) Reset 

func (m *CertificateSigningRequestStatus) Reset()

func (*CertificateSigningRequestStatus) Size 

func (m *CertificateSigningRequestStatus) Size() (n int)

func (*CertificateSigningRequestStatus) String 

func (this *CertificateSigningRequestStatus) String() string

func (CertificateSigningRequestStatus) SwaggerDoc 

func (CertificateSigningRequestStatus) SwaggerDoc() map[string]string

func (*CertificateSigningRequestStatus) Unmarshal 

func (m *CertificateSigningRequestStatus) Unmarshal(dAtA []byte) error

type ClusterTrustBundle added in v0.33.0 

type ClusterTrustBundle struct {
	metav1.TypeMeta `json:",inline"`

	// metadata contains the object metadata.
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// spec contains the signer (if any) and trust anchors.
	Spec ClusterTrustBundleSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
}

ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).

ClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.

It can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.

func (*ClusterTrustBundle) APILifecycleDeprecated added in v0.33.0 

func (in *ClusterTrustBundle) APILifecycleDeprecated() (major, minor int)

APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or "k8s:prerelease-lifecycle-gen:introduced" plus three minor.

func (*ClusterTrustBundle) APILifecycleIntroduced added in v0.33.0 

func (in *ClusterTrustBundle) APILifecycleIntroduced() (major, minor int)

APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.

func (*ClusterTrustBundle) APILifecycleRemoved added in v0.33.0 

func (in *ClusterTrustBundle) APILifecycleRemoved() (major, minor int)

APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.

func (*ClusterTrustBundle) DeepCopy added in v0.33.0 

func (in *ClusterTrustBundle) DeepCopy() *ClusterTrustBundle

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterTrustBundle.

func (*ClusterTrustBundle) DeepCopyInto added in v0.33.0 

func (in *ClusterTrustBundle) DeepCopyInto(out *ClusterTrustBundle)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterTrustBundle) DeepCopyObject added in v0.33.0 

func (in *ClusterTrustBundle) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterTrustBundle) Marshal added in v0.33.0 

func (m *ClusterTrustBundle) Marshal() (dAtA []byte, err error)

func (*ClusterTrustBundle) MarshalTo added in v0.33.0 

func (m *ClusterTrustBundle) MarshalTo(dAtA []byte) (int, error)

func (*ClusterTrustBundle) MarshalToSizedBuffer added in v0.33.0 

func (m *ClusterTrustBundle) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (ClusterTrustBundle) OpenAPIModelName added in v0.35.0 

func (in ClusterTrustBundle) OpenAPIModelName() string

OpenAPIModelName returns the OpenAPI model name for this type.

func (*ClusterTrustBundle) Reset added in v0.33.0 

func (m *ClusterTrustBundle) Reset()

func (*ClusterTrustBundle) Size added in v0.33.0 

func (m *ClusterTrustBundle) Size() (n int)

func (*ClusterTrustBundle) String added in v0.33.0 

func (this *ClusterTrustBundle) String() string

func (ClusterTrustBundle) SwaggerDoc added in v0.33.0 

func (ClusterTrustBundle) SwaggerDoc() map[string]string

func (*ClusterTrustBundle) Unmarshal added in v0.33.0 

func (m *ClusterTrustBundle) Unmarshal(dAtA []byte) error

type ClusterTrustBundleList added in v0.33.0 

type ClusterTrustBundleList struct {
	metav1.TypeMeta `json:",inline"`

	// metadata contains the list metadata.
	//
	// +optional
	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// items is a collection of ClusterTrustBundle objects
	Items []ClusterTrustBundle `json:"items" protobuf:"bytes,2,rep,name=items"`
}

ClusterTrustBundleList is a collection of ClusterTrustBundle objects

func (*ClusterTrustBundleList) APILifecycleDeprecated added in v0.33.0 

func (in *ClusterTrustBundleList) APILifecycleDeprecated() (major, minor int)

APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or "k8s:prerelease-lifecycle-gen:introduced" plus three minor.

func (*ClusterTrustBundleList) APILifecycleIntroduced added in v0.33.0 

func (in *ClusterTrustBundleList) APILifecycleIntroduced() (major, minor int)

APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.

func (*ClusterTrustBundleList) APILifecycleRemoved added in v0.33.0 

func (in *ClusterTrustBundleList) APILifecycleRemoved() (major, minor int)

APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.

func (*ClusterTrustBundleList) DeepCopy added in v0.33.0 

func (in *ClusterTrustBundleList) DeepCopy() *ClusterTrustBundleList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterTrustBundleList.

func (*ClusterTrustBundleList) DeepCopyInto added in v0.33.0 

func (in *ClusterTrustBundleList) DeepCopyInto(out *ClusterTrustBundleList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterTrustBundleList) DeepCopyObject added in v0.33.0 

func (in *ClusterTrustBundleList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterTrustBundleList) Marshal added in v0.33.0 

func (m *ClusterTrustBundleList) Marshal() (dAtA []byte, err error)

func (*ClusterTrustBundleList) MarshalTo added in v0.33.0 

func (m *ClusterTrustBundleList) MarshalTo(dAtA []byte) (int, error)

func (*ClusterTrustBundleList) MarshalToSizedBuffer added in v0.33.0 

func (m *ClusterTrustBundleList) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (ClusterTrustBundleList) OpenAPIModelName added in v0.35.0 

func (in ClusterTrustBundleList) OpenAPIModelName() string

OpenAPIModelName returns the OpenAPI model name for this type.

func (*ClusterTrustBundleList) Reset added in v0.33.0 

func (m *ClusterTrustBundleList) Reset()

func (*ClusterTrustBundleList) Size added in v0.33.0 

func (m *ClusterTrustBundleList) Size() (n int)

func (*ClusterTrustBundleList) String added in v0.33.0 

func (this *ClusterTrustBundleList) String() string

func (ClusterTrustBundleList) SwaggerDoc added in v0.33.0 

func (ClusterTrustBundleList) SwaggerDoc() map[string]string

func (*ClusterTrustBundleList) Unmarshal added in v0.33.0 

func (m *ClusterTrustBundleList) Unmarshal(dAtA []byte) error

type ClusterTrustBundleSpec added in v0.33.0 

type ClusterTrustBundleSpec struct {
	// signerName indicates the associated signer, if any.
	//
	// In order to create or update a ClusterTrustBundle that sets signerName,
	// you must have the following cluster-scoped permission:
	// group=certificates.k8s.io resource=signers resourceName=<the signer name>
	// verb=attest.
	//
	// If signerName is not empty, then the ClusterTrustBundle object must be
	// named with the signer name as a prefix (translating slashes to colons).
	// For example, for the signer name `example.com/foo`, valid
	// ClusterTrustBundle object names include `example.com:foo:abc` and
	// `example.com:foo:v1`.
	//
	// If signerName is empty, then the ClusterTrustBundle object's name must
	// not have such a prefix.
	//
	// List/watch requests for ClusterTrustBundles can filter on this field
	// using a `spec.signerName=NAME` field selector.
	//
	// +optional
	SignerName string `json:"signerName,omitempty" protobuf:"bytes,1,opt,name=signerName"`

	// trustBundle contains the individual X.509 trust anchors for this
	// bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates.
	//
	// The data must consist only of PEM certificate blocks that parse as valid
	// X.509 certificates.  Each certificate must include a basic constraints
	// extension with the CA bit set.  The API server will reject objects that
	// contain duplicate certificates, or that use PEM block headers.
	//
	// Users of ClusterTrustBundles, including Kubelet, are free to reorder and
	// deduplicate certificate blocks in this file according to their own logic,
	// as well as to drop PEM block headers and inter-block data.
	TrustBundle string `json:"trustBundle" protobuf:"bytes,2,opt,name=trustBundle"`
}

ClusterTrustBundleSpec contains the signer and trust anchors.

func (*ClusterTrustBundleSpec) DeepCopy added in v0.33.0 

func (in *ClusterTrustBundleSpec) DeepCopy() *ClusterTrustBundleSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterTrustBundleSpec.

func (*ClusterTrustBundleSpec) DeepCopyInto added in v0.33.0 

func (in *ClusterTrustBundleSpec) DeepCopyInto(out *ClusterTrustBundleSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterTrustBundleSpec) Marshal added in v0.33.0 

func (m *ClusterTrustBundleSpec) Marshal() (dAtA []byte, err error)

func (*ClusterTrustBundleSpec) MarshalTo added in v0.33.0 

func (m *ClusterTrustBundleSpec) MarshalTo(dAtA []byte) (int, error)

func (*ClusterTrustBundleSpec) MarshalToSizedBuffer added in v0.33.0 

func (m *ClusterTrustBundleSpec) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (ClusterTrustBundleSpec) OpenAPIModelName added in v0.35.0 

func (in ClusterTrustBundleSpec) OpenAPIModelName() string

OpenAPIModelName returns the OpenAPI model name for this type.

func (*ClusterTrustBundleSpec) Reset added in v0.33.0 

func (m *ClusterTrustBundleSpec) Reset()

func (*ClusterTrustBundleSpec) Size added in v0.33.0 

func (m *ClusterTrustBundleSpec) Size() (n int)

func (*ClusterTrustBundleSpec) String added in v0.33.0 

func (this *ClusterTrustBundleSpec) String() string

func (ClusterTrustBundleSpec) SwaggerDoc added in v0.33.0 

func (ClusterTrustBundleSpec) SwaggerDoc() map[string]string

func (*ClusterTrustBundleSpec) Unmarshal added in v0.33.0 

func (m *ClusterTrustBundleSpec) Unmarshal(dAtA []byte) error

type ExtraValue 

type ExtraValue []string

ExtraValue masks the value so protobuf can generate +protobuf.nullable=true +protobuf.options.(gogoproto.goproto_stringer)=false

func (ExtraValue) DeepCopy 

func (in ExtraValue) DeepCopy() ExtraValue

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtraValue.

func (ExtraValue) DeepCopyInto 

func (in ExtraValue) DeepCopyInto(out *ExtraValue)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (ExtraValue) Marshal 

func (m ExtraValue) Marshal() (dAtA []byte, err error)

func (ExtraValue) MarshalTo 

func (m ExtraValue) MarshalTo(dAtA []byte) (int, error)

func (ExtraValue) MarshalToSizedBuffer added in v0.16.4 

func (m ExtraValue) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (*ExtraValue) Reset 

func (m *ExtraValue) Reset()

func (ExtraValue) Size 

func (m ExtraValue) Size() (n int)

func (ExtraValue) String 

func (t ExtraValue) String() string

func (*ExtraValue) Unmarshal 

func (m *ExtraValue) Unmarshal(dAtA []byte) error

type KeyUsage 

type KeyUsage string

KeyUsages specifies valid usage contexts for keys. See: 

https://tools.ietf.org/html/rfc5280#section-4.2.1.3
https://tools.ietf.org/html/rfc5280#section-4.2.1.12

const (
	UsageSigning           KeyUsage = "signing"
	UsageDigitalSignature  KeyUsage = "digital signature"
	UsageContentCommitment KeyUsage = "content commitment"
	UsageKeyEncipherment   KeyUsage = "key encipherment"
	UsageKeyAgreement      KeyUsage = "key agreement"
	UsageDataEncipherment  KeyUsage = "data encipherment"
	UsageCertSign          KeyUsage = "cert sign"
	UsageCRLSign           KeyUsage = "crl sign"
	UsageEncipherOnly      KeyUsage = "encipher only"
	UsageDecipherOnly      KeyUsage = "decipher only"
	UsageAny               KeyUsage = "any"
	UsageServerAuth        KeyUsage = "server auth"
	UsageClientAuth        KeyUsage = "client auth"
	UsageCodeSigning       KeyUsage = "code signing"
	UsageEmailProtection   KeyUsage = "email protection"
	UsageSMIME             KeyUsage = "s/mime"
	UsageIPsecEndSystem    KeyUsage = "ipsec end system"
	UsageIPsecTunnel       KeyUsage = "ipsec tunnel"
	UsageIPsecUser         KeyUsage = "ipsec user"
	UsageTimestamping      KeyUsage = "timestamping"
	UsageOCSPSigning       KeyUsage = "ocsp signing"
	UsageMicrosoftSGC      KeyUsage = "microsoft sgc"
	UsageNetscapeSGC       KeyUsage = "netscape sgc"
)

type PodCertificateRequest added in v0.35.0 

type PodCertificateRequest struct {
	metav1.TypeMeta `json:",inline"`

	// metadata contains the object metadata.
	//
	// +optional
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// spec contains the details about the certificate being requested.
	Spec PodCertificateRequestSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`

	// status contains the issued certificate, and a standard set of conditions.
	// +optional
	Status PodCertificateRequestStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
}

PodCertificateRequest encodes a pod requesting a certificate from a given signer.

Kubelets use this API to implement podCertificate projected volumes

func (*PodCertificateRequest) APILifecycleDeprecated added in v0.35.0 

func (in *PodCertificateRequest) APILifecycleDeprecated() (major, minor int)

APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or "k8s:prerelease-lifecycle-gen:introduced" plus three minor.

func (*PodCertificateRequest) APILifecycleIntroduced added in v0.35.0 

func (in *PodCertificateRequest) APILifecycleIntroduced() (major, minor int)

APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.

func (*PodCertificateRequest) APILifecycleRemoved added in v0.35.0 

func (in *PodCertificateRequest) APILifecycleRemoved() (major, minor int)

APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.

func (*PodCertificateRequest) DeepCopy added in v0.35.0 

func (in *PodCertificateRequest) DeepCopy() *PodCertificateRequest

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCertificateRequest.

func (*PodCertificateRequest) DeepCopyInto added in v0.35.0 

func (in *PodCertificateRequest) DeepCopyInto(out *PodCertificateRequest)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodCertificateRequest) DeepCopyObject added in v0.35.0 

func (in *PodCertificateRequest) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*PodCertificateRequest) Marshal added in v0.35.0 

func (m *PodCertificateRequest) Marshal() (dAtA []byte, err error)

func (*PodCertificateRequest) MarshalTo added in v0.35.0 

func (m *PodCertificateRequest) MarshalTo(dAtA []byte) (int, error)

func (*PodCertificateRequest) MarshalToSizedBuffer added in v0.35.0 

func (m *PodCertificateRequest) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (PodCertificateRequest) OpenAPIModelName added in v0.35.0 

func (in PodCertificateRequest) OpenAPIModelName() string

OpenAPIModelName returns the OpenAPI model name for this type.

func (*PodCertificateRequest) Reset added in v0.35.0 

func (m *PodCertificateRequest) Reset()

func (*PodCertificateRequest) Size added in v0.35.0 

func (m *PodCertificateRequest) Size() (n int)

func (*PodCertificateRequest) String added in v0.35.0 

func (this *PodCertificateRequest) String() string

func (PodCertificateRequest) SwaggerDoc added in v0.35.0 

func (PodCertificateRequest) SwaggerDoc() map[string]string

func (*PodCertificateRequest) Unmarshal added in v0.35.0 

func (m *PodCertificateRequest) Unmarshal(dAtA []byte) error

type PodCertificateRequestList added in v0.35.0 

type PodCertificateRequestList struct {
	metav1.TypeMeta `json:",inline"`

	// metadata contains the list metadata.
	//
	// +optional
	metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`

	// items is a collection of PodCertificateRequest objects
	Items []PodCertificateRequest `json:"items" protobuf:"bytes,2,rep,name=items"`
}

PodCertificateRequestList is a collection of PodCertificateRequest objects

func (*PodCertificateRequestList) APILifecycleDeprecated added in v0.35.0 

func (in *PodCertificateRequestList) APILifecycleDeprecated() (major, minor int)

APILifecycleDeprecated is an autogenerated function, returning the release in which the API struct was or will be deprecated as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:deprecated" tags in types.go or "k8s:prerelease-lifecycle-gen:introduced" plus three minor.

func (*PodCertificateRequestList) APILifecycleIntroduced added in v0.35.0 

func (in *PodCertificateRequestList) APILifecycleIntroduced() (major, minor int)

APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:introduced" tags in types.go.

func (*PodCertificateRequestList) APILifecycleRemoved added in v0.35.0 

func (in *PodCertificateRequestList) APILifecycleRemoved() (major, minor int)

APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison. It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor.

func (*PodCertificateRequestList) DeepCopy added in v0.35.0 

func (in *PodCertificateRequestList) DeepCopy() *PodCertificateRequestList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCertificateRequestList.

func (*PodCertificateRequestList) DeepCopyInto added in v0.35.0 

func (in *PodCertificateRequestList) DeepCopyInto(out *PodCertificateRequestList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodCertificateRequestList) DeepCopyObject added in v0.35.0 

func (in *PodCertificateRequestList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*PodCertificateRequestList) Marshal added in v0.35.0 

func (m *PodCertificateRequestList) Marshal() (dAtA []byte, err error)

func (*PodCertificateRequestList) MarshalTo added in v0.35.0 

func (m *PodCertificateRequestList) MarshalTo(dAtA []byte) (int, error)

func (*PodCertificateRequestList) MarshalToSizedBuffer added in v0.35.0 

func (m *PodCertificateRequestList) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (PodCertificateRequestList) OpenAPIModelName added in v0.35.0 

func (in PodCertificateRequestList) OpenAPIModelName() string

OpenAPIModelName returns the OpenAPI model name for this type.

func (*PodCertificateRequestList) Reset added in v0.35.0 

func (m *PodCertificateRequestList) Reset()

func (*PodCertificateRequestList) Size added in v0.35.0 

func (m *PodCertificateRequestList) Size() (n int)

func (*PodCertificateRequestList) String added in v0.35.0 

func (this *PodCertificateRequestList) String() string

func (PodCertificateRequestList) SwaggerDoc added in v0.35.0 

func (PodCertificateRequestList) SwaggerDoc() map[string]string

func (*PodCertificateRequestList) Unmarshal added in v0.35.0 

func (m *PodCertificateRequestList) Unmarshal(dAtA []byte) error

type PodCertificateRequestSpec added in v0.35.0 

type PodCertificateRequestSpec struct {
	// signerName indicates the requested signer.
	//
	// All signer names beginning with `kubernetes.io` are reserved for use by
	// the Kubernetes project.  There is currently one well-known signer
	// documented by the Kubernetes project,
	// `kubernetes.io/kube-apiserver-client-pod`, which will issue client
	// certificates understood by kube-apiserver.  It is currently
	// unimplemented.
	//
	// +required
	SignerName string `json:"signerName" protobuf:"bytes,1,opt,name=signerName"`

	// podName is the name of the pod into which the certificate will be mounted.
	//
	// +required
	PodName string `json:"podName" protobuf:"bytes,2,opt,name=podName"`
	// podUID is the UID of the pod into which the certificate will be mounted.
	//
	// +required
	PodUID types.UID `json:"podUID" protobuf:"bytes,3,opt,name=podUID"`

	// serviceAccountName is the name of the service account the pod is running as.
	//
	// +required
	ServiceAccountName string `json:"serviceAccountName" protobuf:"bytes,4,opt,name=serviceAccountName"`
	// serviceAccountUID is the UID of the service account the pod is running as.
	//
	// +required
	ServiceAccountUID types.UID `json:"serviceAccountUID" protobuf:"bytes,5,opt,name=serviceAccountUID"`

	// nodeName is the name of the node the pod is assigned to.
	//
	// +required
	NodeName types.NodeName `json:"nodeName" protobuf:"bytes,6,opt,name=nodeName"`
	// nodeUID is the UID of the node the pod is assigned to.
	//
	// +required
	NodeUID types.UID `json:"nodeUID" protobuf:"bytes,7,opt,name=nodeUID"`

	// maxExpirationSeconds is the maximum lifetime permitted for the
	// certificate.
	//
	// If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver
	// will reject values shorter than 3600 (1 hour).  The maximum allowable
	// value is 7862400 (91 days).
	//
	// The signer implementation is then free to issue a certificate with any
	// lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600
	// seconds (1 hour).  This constraint is enforced by kube-apiserver.
	// `kubernetes.io` signers will never issue certificates with a lifetime
	// longer than 24 hours.
	//
	// +optional
	// +default=86400
	MaxExpirationSeconds *int32 `json:"maxExpirationSeconds,omitempty" protobuf:"varint,8,opt,name=maxExpirationSeconds"`

	// pkixPublicKey is the PKIX-serialized public key the signer will issue the
	// certificate to.
	//
	// The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, ECDSAP521,
	// or ED25519. Note that this list may be expanded in the future.
	//
	// Signer implementations do not need to support all key types supported by
	// kube-apiserver and kubelet.  If a signer does not support the key type
	// used for a given PodCertificateRequest, it must deny the request by
	// setting a status.conditions entry with a type of "Denied" and a reason of
	// "UnsupportedKeyType". It may also suggest a key type that it does support
	// in the message field.
	//
	// +required
	PKIXPublicKey []byte `json:"pkixPublicKey" protobuf:"bytes,9,opt,name=pkixPublicKey"`

	// proofOfPossession proves that the requesting kubelet holds the private
	// key corresponding to pkixPublicKey.
	//
	// It is contructed by signing the ASCII bytes of the pod's UID using
	// `pkixPublicKey`.
	//
	// kube-apiserver validates the proof of possession during creation of the
	// PodCertificateRequest.
	//
	// If the key is an RSA key, then the signature is over the ASCII bytes of
	// the pod UID, using RSASSA-PSS from RFC 8017 (as implemented by the golang
	// function crypto/rsa.SignPSS with nil options).
	//
	// If the key is an ECDSA key, then the signature is as described by [SEC 1,
	// Version 2.0](https://www.secg.org/sec1-v2.pdf) (as implemented by the
	// golang library function crypto/ecdsa.SignASN1)
	//
	// If the key is an ED25519 key, the the signature is as described by the
	// [ED25519 Specification](https://ed25519.cr.yp.to/) (as implemented by
	// the golang library crypto/ed25519.Sign).
	//
	// +required
	ProofOfPossession []byte `json:"proofOfPossession" protobuf:"bytes,10,opt,name=proofOfPossession"`

	// unverifiedUserAnnotations allow pod authors to pass additional information to
	// the signer implementation.  Kubernetes does not restrict or validate this
	// metadata in any way.
	//
	// Entries are subject to the same validation as object metadata annotations,
	// with the addition that all keys must be domain-prefixed. No restrictions
	// are placed on values, except an overall size limitation on the entire field.
	//
	// Signers should document the keys and values they support.  Signers should
	// deny requests that contain keys they do not recognize.
	UnverifiedUserAnnotations map[string]string `json:"unverifiedUserAnnotations,omitempty" protobuf:"bytes,11,opt,name=unverifiedUserAnnotations"`
}

PodCertificateRequestSpec describes the certificate request. All fields are immutable after creation.

func (*PodCertificateRequestSpec) DeepCopy added in v0.35.0 

func (in *PodCertificateRequestSpec) DeepCopy() *PodCertificateRequestSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCertificateRequestSpec.

func (*PodCertificateRequestSpec) DeepCopyInto added in v0.35.0 

func (in *PodCertificateRequestSpec) DeepCopyInto(out *PodCertificateRequestSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodCertificateRequestSpec) Marshal added in v0.35.0 

func (m *PodCertificateRequestSpec) Marshal() (dAtA []byte, err error)

func (*PodCertificateRequestSpec) MarshalTo added in v0.35.0 

func (m *PodCertificateRequestSpec) MarshalTo(dAtA []byte) (int, error)

func (*PodCertificateRequestSpec) MarshalToSizedBuffer added in v0.35.0 

func (m *PodCertificateRequestSpec) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (PodCertificateRequestSpec) OpenAPIModelName added in v0.35.0 

func (in PodCertificateRequestSpec) OpenAPIModelName() string

OpenAPIModelName returns the OpenAPI model name for this type.

func (*PodCertificateRequestSpec) Reset added in v0.35.0 

func (m *PodCertificateRequestSpec) Reset()

func (*PodCertificateRequestSpec) Size added in v0.35.0 

func (m *PodCertificateRequestSpec) Size() (n int)

func (*PodCertificateRequestSpec) String added in v0.35.0 

func (this *PodCertificateRequestSpec) String() string

func (PodCertificateRequestSpec) SwaggerDoc added in v0.35.0 

func (PodCertificateRequestSpec) SwaggerDoc() map[string]string

func (*PodCertificateRequestSpec) Unmarshal added in v0.35.0 

func (m *PodCertificateRequestSpec) Unmarshal(dAtA []byte) error

type PodCertificateRequestStatus added in v0.35.0 

type PodCertificateRequestStatus struct {
	// conditions applied to the request.
	//
	// The types "Issued", "Denied", and "Failed" have special handling.  At
	// most one of these conditions may be present, and they must have status
	// "True".
	//
	// If the request is denied with `Reason=UnsupportedKeyType`, the signer may
	// suggest a key type that will work in the message field.
	//
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`

	// certificateChain is populated with an issued certificate by the signer.
	// This field is set via the /status subresource. Once populated, this field
	// is immutable.
	//
	// If the certificate signing request is denied, a condition of type
	// "Denied" is added and this field remains empty. If the signer cannot
	// issue the certificate, a condition of type "Failed" is added and this
	// field remains empty.
	//
	// Validation requirements:
	//  1. certificateChain must consist of one or more PEM-formatted certificates.
	//  2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 Certificate as
	//     described in section 4 of RFC5280.
	//
	// If more than one block is present, and the definition of the requested
	// spec.signerName does not indicate otherwise, the first block is the
	// issued certificate, and subsequent blocks should be treated as
	// intermediate certificates and presented in TLS handshakes.  When
	// projecting the chain into a pod volume, kubelet will drop any data
	// in-between the PEM blocks, as well as any PEM block headers.
	//
	// +optional
	CertificateChain string `json:"certificateChain,omitempty" protobuf:"bytes,2,opt,name=certificateChain"`

	// notBefore is the time at which the certificate becomes valid.  The value
	// must be the same as the notBefore value in the leaf certificate in
	// certificateChain.  This field is set via the /status subresource.  Once
	// populated, it is immutable. The signer must set this field at the same
	// time it sets certificateChain.
	//
	// +optional
	NotBefore *metav1.Time `json:"notBefore,omitempty" protobuf:"bytes,4,opt,name=notBefore"`

	// beginRefreshAt is the time at which the kubelet should begin trying to
	// refresh the certificate.  This field is set via the /status subresource,
	// and must be set at the same time as certificateChain.  Once populated,
	// this field is immutable.
	//
	// This field is only a hint.  Kubelet may start refreshing before or after
	// this time if necessary.
	//
	// +optional
	BeginRefreshAt *metav1.Time `json:"beginRefreshAt,omitempty" protobuf:"bytes,5,opt,name=beginRefreshAt"`

	// notAfter is the time at which the certificate expires.  The value must be
	// the same as the notAfter value in the leaf certificate in
	// certificateChain.  This field is set via the /status subresource.  Once
	// populated, it is immutable.  The signer must set this field at the same
	// time it sets certificateChain.
	//
	// +optional
	NotAfter *metav1.Time `json:"notAfter,omitempty" protobuf:"bytes,6,opt,name=notAfter"`
}

PodCertificateRequestStatus describes the status of the request, and holds the certificate data if the request is issued.

func (*PodCertificateRequestStatus) DeepCopy added in v0.35.0 

func (in *PodCertificateRequestStatus) DeepCopy() *PodCertificateRequestStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodCertificateRequestStatus.

func (*PodCertificateRequestStatus) DeepCopyInto added in v0.35.0 

func (in *PodCertificateRequestStatus) DeepCopyInto(out *PodCertificateRequestStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodCertificateRequestStatus) Marshal added in v0.35.0 

func (m *PodCertificateRequestStatus) Marshal() (dAtA []byte, err error)

func (*PodCertificateRequestStatus) MarshalTo added in v0.35.0 

func (m *PodCertificateRequestStatus) MarshalTo(dAtA []byte) (int, error)

func (*PodCertificateRequestStatus) MarshalToSizedBuffer added in v0.35.0 

func (m *PodCertificateRequestStatus) MarshalToSizedBuffer(dAtA []byte) (int, error)

func (PodCertificateRequestStatus) OpenAPIModelName added in v0.35.0 

func (in PodCertificateRequestStatus) OpenAPIModelName() string

OpenAPIModelName returns the OpenAPI model name for this type.

func (*PodCertificateRequestStatus) Reset added in v0.35.0 

func (m *PodCertificateRequestStatus) Reset()

func (*PodCertificateRequestStatus) Size added in v0.35.0 

func (m *PodCertificateRequestStatus) Size() (n int)

func (*PodCertificateRequestStatus) String added in v0.35.0 

func (this *PodCertificateRequestStatus) String() string

func (PodCertificateRequestStatus) SwaggerDoc added in v0.35.0 

func (PodCertificateRequestStatus) SwaggerDoc() map[string]string

func (*PodCertificateRequestStatus) Unmarshal added in v0.35.0 

func (m *PodCertificateRequestStatus) Unmarshal(dAtA []byte) error

type RequestConditionType 

type RequestConditionType string
const (
	CertificateApproved RequestConditionType = "Approved"
	CertificateDenied   RequestConditionType = "Denied"
	CertificateFailed   RequestConditionType = "Failed"
)

These are the possible conditions for a certificate request.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.