diff --git a/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto b/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto index 8b26030c4..9bdf97f5b 100644 --- a/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto +++ b/third_party/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto @@ -5,7 +5,7 @@ Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -22,338 +22,338 @@ option go_package = "github.com/containerd/containerd/third_party/k8s.io/cri-api // Runtime service defines the public APIs for remote container runtimes service RuntimeService { - // Version returns the runtime name, runtime version, and runtime API version. - rpc Version(VersionRequest) returns (VersionResponse) {} + // Version returns the runtime name, runtime version, and runtime API version. + rpc Version(VersionRequest) returns (VersionResponse) {} - // RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure - // the sandbox is in the ready state on success. - rpc RunPodSandbox(RunPodSandboxRequest) returns (RunPodSandboxResponse) {} - // StopPodSandbox stops any running process that is part of the sandbox and - // reclaims network resources (e.g., IP addresses) allocated to the sandbox. - // If there are any running containers in the sandbox, they must be forcibly - // terminated. - // This call is idempotent, and must not return an error if all relevant - // resources have already been reclaimed. kubelet will call StopPodSandbox - // at least once before calling RemovePodSandbox. It will also attempt to - // reclaim resources eagerly, as soon as a sandbox is not needed. Hence, - // multiple StopPodSandbox calls are expected. - rpc StopPodSandbox(StopPodSandboxRequest) returns (StopPodSandboxResponse) {} - // RemovePodSandbox removes the sandbox. If there are any running containers - // in the sandbox, they must be forcibly terminated and removed. - // This call is idempotent, and must not return an error if the sandbox has - // already been removed. - rpc RemovePodSandbox(RemovePodSandboxRequest) returns (RemovePodSandboxResponse) {} - // PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not - // present, returns an error. - rpc PodSandboxStatus(PodSandboxStatusRequest) returns (PodSandboxStatusResponse) {} - // ListPodSandbox returns a list of PodSandboxes. - rpc ListPodSandbox(ListPodSandboxRequest) returns (ListPodSandboxResponse) {} + // RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure + // the sandbox is in the ready state on success. + rpc RunPodSandbox(RunPodSandboxRequest) returns (RunPodSandboxResponse) {} + // StopPodSandbox stops any running process that is part of the sandbox and + // reclaims network resources (e.g., IP addresses) allocated to the sandbox. + // If there are any running containers in the sandbox, they must be forcibly + // terminated. + // This call is idempotent, and must not return an error if all relevant + // resources have already been reclaimed. kubelet will call StopPodSandbox + // at least once before calling RemovePodSandbox. It will also attempt to + // reclaim resources eagerly, as soon as a sandbox is not needed. Hence, + // multiple StopPodSandbox calls are expected. + rpc StopPodSandbox(StopPodSandboxRequest) returns (StopPodSandboxResponse) {} + // RemovePodSandbox removes the sandbox. If there are any running containers + // in the sandbox, they must be forcibly terminated and removed. + // This call is idempotent, and must not return an error if the sandbox has + // already been removed. + rpc RemovePodSandbox(RemovePodSandboxRequest) returns (RemovePodSandboxResponse) {} + // PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not + // present, returns an error. + rpc PodSandboxStatus(PodSandboxStatusRequest) returns (PodSandboxStatusResponse) {} + // ListPodSandbox returns a list of PodSandboxes. + rpc ListPodSandbox(ListPodSandboxRequest) returns (ListPodSandboxResponse) {} - // CreateContainer creates a new container in specified PodSandbox - rpc CreateContainer(CreateContainerRequest) returns (CreateContainerResponse) {} - // StartContainer starts the container. - rpc StartContainer(StartContainerRequest) returns (StartContainerResponse) {} - // StopContainer stops a running container with a grace period (i.e., timeout). - // This call is idempotent, and must not return an error if the container has - // already been stopped. - // The runtime must forcibly kill the container after the grace period is - // reached. - rpc StopContainer(StopContainerRequest) returns (StopContainerResponse) {} - // RemoveContainer removes the container. If the container is running, the - // container must be forcibly removed. - // This call is idempotent, and must not return an error if the container has - // already been removed. - rpc RemoveContainer(RemoveContainerRequest) returns (RemoveContainerResponse) {} - // ListContainers lists all containers by filters. - rpc ListContainers(ListContainersRequest) returns (ListContainersResponse) {} - // ContainerStatus returns status of the container. If the container is not - // present, returns an error. - rpc ContainerStatus(ContainerStatusRequest) returns (ContainerStatusResponse) {} - // UpdateContainerResources updates ContainerConfig of the container synchronously. - // If runtime fails to transactionally update the requested resources, an error is returned. - rpc UpdateContainerResources(UpdateContainerResourcesRequest) returns (UpdateContainerResourcesResponse) {} - // ReopenContainerLog asks runtime to reopen the stdout/stderr log file - // for the container. This is often called after the log file has been - // rotated. If the container is not running, container runtime can choose - // to either create a new log file and return nil, or return an error. - // Once it returns error, new container log file MUST NOT be created. - rpc ReopenContainerLog(ReopenContainerLogRequest) returns (ReopenContainerLogResponse) {} + // CreateContainer creates a new container in specified PodSandbox + rpc CreateContainer(CreateContainerRequest) returns (CreateContainerResponse) {} + // StartContainer starts the container. + rpc StartContainer(StartContainerRequest) returns (StartContainerResponse) {} + // StopContainer stops a running container with a grace period (i.e., timeout). + // This call is idempotent, and must not return an error if the container has + // already been stopped. + // The runtime must forcibly kill the container after the grace period is + // reached. + rpc StopContainer(StopContainerRequest) returns (StopContainerResponse) {} + // RemoveContainer removes the container. If the container is running, the + // container must be forcibly removed. + // This call is idempotent, and must not return an error if the container has + // already been removed. + rpc RemoveContainer(RemoveContainerRequest) returns (RemoveContainerResponse) {} + // ListContainers lists all containers by filters. + rpc ListContainers(ListContainersRequest) returns (ListContainersResponse) {} + // ContainerStatus returns status of the container. If the container is not + // present, returns an error. + rpc ContainerStatus(ContainerStatusRequest) returns (ContainerStatusResponse) {} + // UpdateContainerResources updates ContainerConfig of the container synchronously. + // If runtime fails to transactionally update the requested resources, an error is returned. + rpc UpdateContainerResources(UpdateContainerResourcesRequest) returns (UpdateContainerResourcesResponse) {} + // ReopenContainerLog asks runtime to reopen the stdout/stderr log file + // for the container. This is often called after the log file has been + // rotated. If the container is not running, container runtime can choose + // to either create a new log file and return nil, or return an error. + // Once it returns error, new container log file MUST NOT be created. + rpc ReopenContainerLog(ReopenContainerLogRequest) returns (ReopenContainerLogResponse) {} - // ExecSync runs a command in a container synchronously. - rpc ExecSync(ExecSyncRequest) returns (ExecSyncResponse) {} - // Exec prepares a streaming endpoint to execute a command in the container. - rpc Exec(ExecRequest) returns (ExecResponse) {} - // Attach prepares a streaming endpoint to attach to a running container. - rpc Attach(AttachRequest) returns (AttachResponse) {} - // PortForward prepares a streaming endpoint to forward ports from a PodSandbox. - rpc PortForward(PortForwardRequest) returns (PortForwardResponse) {} + // ExecSync runs a command in a container synchronously. + rpc ExecSync(ExecSyncRequest) returns (ExecSyncResponse) {} + // Exec prepares a streaming endpoint to execute a command in the container. + rpc Exec(ExecRequest) returns (ExecResponse) {} + // Attach prepares a streaming endpoint to attach to a running container. + rpc Attach(AttachRequest) returns (AttachResponse) {} + // PortForward prepares a streaming endpoint to forward ports from a PodSandbox. + rpc PortForward(PortForwardRequest) returns (PortForwardResponse) {} - // ContainerStats returns stats of the container. If the container does not - // exist, the call returns an error. - rpc ContainerStats(ContainerStatsRequest) returns (ContainerStatsResponse) {} - // ListContainerStats returns stats of all running containers. - rpc ListContainerStats(ListContainerStatsRequest) returns (ListContainerStatsResponse) {} + // ContainerStats returns stats of the container. If the container does not + // exist, the call returns an error. + rpc ContainerStats(ContainerStatsRequest) returns (ContainerStatsResponse) {} + // ListContainerStats returns stats of all running containers. + rpc ListContainerStats(ListContainerStatsRequest) returns (ListContainerStatsResponse) {} - // PodSandboxStats returns stats of the pod sandbox. If the pod sandbox does not - // exist, the call returns an error. - rpc PodSandboxStats(PodSandboxStatsRequest) returns (PodSandboxStatsResponse) {} - // ListPodSandboxStats returns stats of the pod sandboxes matching a filter. - rpc ListPodSandboxStats(ListPodSandboxStatsRequest) returns (ListPodSandboxStatsResponse) {} + // PodSandboxStats returns stats of the pod sandbox. If the pod sandbox does not + // exist, the call returns an error. + rpc PodSandboxStats(PodSandboxStatsRequest) returns (PodSandboxStatsResponse) {} + // ListPodSandboxStats returns stats of the pod sandboxes matching a filter. + rpc ListPodSandboxStats(ListPodSandboxStatsRequest) returns (ListPodSandboxStatsResponse) {} - // UpdateRuntimeConfig updates the runtime configuration based on the given request. - rpc UpdateRuntimeConfig(UpdateRuntimeConfigRequest) returns (UpdateRuntimeConfigResponse) {} + // UpdateRuntimeConfig updates the runtime configuration based on the given request. + rpc UpdateRuntimeConfig(UpdateRuntimeConfigRequest) returns (UpdateRuntimeConfigResponse) {} - // Status returns the status of the runtime. - rpc Status(StatusRequest) returns (StatusResponse) {} + // Status returns the status of the runtime. + rpc Status(StatusRequest) returns (StatusResponse) {} } // ImageService defines the public APIs for managing images. service ImageService { - // ListImages lists existing images. - rpc ListImages(ListImagesRequest) returns (ListImagesResponse) {} - // ImageStatus returns the status of the image. If the image is not - // present, returns a response with ImageStatusResponse.Image set to - // nil. - rpc ImageStatus(ImageStatusRequest) returns (ImageStatusResponse) {} - // PullImage pulls an image with authentication config. - rpc PullImage(PullImageRequest) returns (PullImageResponse) {} - // RemoveImage removes the image. - // This call is idempotent, and must not return an error if the image has - // already been removed. - rpc RemoveImage(RemoveImageRequest) returns (RemoveImageResponse) {} - // ImageFSInfo returns information of the filesystem that is used to store images. - rpc ImageFsInfo(ImageFsInfoRequest) returns (ImageFsInfoResponse) {} + // ListImages lists existing images. + rpc ListImages(ListImagesRequest) returns (ListImagesResponse) {} + // ImageStatus returns the status of the image. If the image is not + // present, returns a response with ImageStatusResponse.Image set to + // nil. + rpc ImageStatus(ImageStatusRequest) returns (ImageStatusResponse) {} + // PullImage pulls an image with authentication config. + rpc PullImage(PullImageRequest) returns (PullImageResponse) {} + // RemoveImage removes the image. + // This call is idempotent, and must not return an error if the image has + // already been removed. + rpc RemoveImage(RemoveImageRequest) returns (RemoveImageResponse) {} + // ImageFSInfo returns information of the filesystem that is used to store images. + rpc ImageFsInfo(ImageFsInfoRequest) returns (ImageFsInfoResponse) {} } message VersionRequest { - // Version of the kubelet runtime API. - string version = 1; + // Version of the kubelet runtime API. + string version = 1; } message VersionResponse { - // Version of the kubelet runtime API. - string version = 1; - // Name of the container runtime. - string runtime_name = 2; - // Version of the container runtime. The string must be - // semver-compatible. - string runtime_version = 3; - // API version of the container runtime. The string must be - // semver-compatible. - string runtime_api_version = 4; + // Version of the kubelet runtime API. + string version = 1; + // Name of the container runtime. + string runtime_name = 2; + // Version of the container runtime. The string must be + // semver-compatible. + string runtime_version = 3; + // API version of the container runtime. The string must be + // semver-compatible. + string runtime_api_version = 4; } // DNSConfig specifies the DNS servers and search domains of a sandbox. message DNSConfig { - // List of DNS servers of the cluster. - repeated string servers = 1; - // List of DNS search domains of the cluster. - repeated string searches = 2; - // List of DNS options. See https://linux.die.net/man/5/resolv.conf - // for all available options. - repeated string options = 3; + // List of DNS servers of the cluster. + repeated string servers = 1; + // List of DNS search domains of the cluster. + repeated string searches = 2; + // List of DNS options. See https://linux.die.net/man/5/resolv.conf + // for all available options. + repeated string options = 3; } enum Protocol { - TCP = 0; - UDP = 1; - SCTP = 2; + TCP = 0; + UDP = 1; + SCTP = 2; } // PortMapping specifies the port mapping configurations of a sandbox. message PortMapping { - // Protocol of the port mapping. - Protocol protocol = 1; - // Port number within the container. Default: 0 (not specified). - int32 container_port = 2; - // Port number on the host. Default: 0 (not specified). - int32 host_port = 3; - // Host IP. - string host_ip = 4; + // Protocol of the port mapping. + Protocol protocol = 1; + // Port number within the container. Default: 0 (not specified). + int32 container_port = 2; + // Port number on the host. Default: 0 (not specified). + int32 host_port = 3; + // Host IP. + string host_ip = 4; } enum MountPropagation { - // No mount propagation ("private" in Linux terminology). - PROPAGATION_PRIVATE = 0; - // Mounts get propagated from the host to the container ("rslave" in Linux). - PROPAGATION_HOST_TO_CONTAINER = 1; - // Mounts get propagated from the host to the container and from the - // container to the host ("rshared" in Linux). - PROPAGATION_BIDIRECTIONAL = 2; + // No mount propagation ("private" in Linux terminology). + PROPAGATION_PRIVATE = 0; + // Mounts get propagated from the host to the container ("rslave" in Linux). + PROPAGATION_HOST_TO_CONTAINER = 1; + // Mounts get propagated from the host to the container and from the + // container to the host ("rshared" in Linux). + PROPAGATION_BIDIRECTIONAL = 2; } // Mount specifies a host volume to mount into a container. message Mount { - // Path of the mount within the container. - string container_path = 1; - // Path of the mount on the host. If the hostPath doesn't exist, then runtimes - // should report error. If the hostpath is a symbolic link, runtimes should - // follow the symlink and mount the real destination to container. - string host_path = 2; - // If set, the mount is read-only. - bool readonly = 3; - // If set, the mount needs SELinux relabeling. - bool selinux_relabel = 4; - // Requested propagation mode. - MountPropagation propagation = 5; + // Path of the mount within the container. + string container_path = 1; + // Path of the mount on the host. If the hostPath doesn't exist, then runtimes + // should report error. If the hostpath is a symbolic link, runtimes should + // follow the symlink and mount the real destination to container. + string host_path = 2; + // If set, the mount is read-only. + bool readonly = 3; + // If set, the mount needs SELinux relabeling. + bool selinux_relabel = 4; + // Requested propagation mode. + MountPropagation propagation = 5; } // IDMapping describes host to container ID mappings for a pod sandbox. message IDMapping { - // HostId is the id on the host. - uint32 host_id = 1; - // ContainerId is the id in the container. - uint32 container_id = 2; - // Length is the size of the range to map. - uint32 length = 3; + // HostId is the id on the host. + uint32 host_id = 1; + // ContainerId is the id in the container. + uint32 container_id = 2; + // Length is the size of the range to map. + uint32 length = 3; } // A NamespaceMode describes the intended namespace configuration for each // of the namespaces (Network, PID, IPC) in NamespaceOption. Runtimes should // map these modes as appropriate for the technology underlying the runtime. enum NamespaceMode { - // A POD namespace is common to all containers in a pod. - // For example, a container with a PID namespace of POD expects to view - // all of the processes in all of the containers in the pod. - POD = 0; - // A CONTAINER namespace is restricted to a single container. - // For example, a container with a PID namespace of CONTAINER expects to - // view only the processes in that container. - CONTAINER = 1; - // A NODE namespace is the namespace of the Kubernetes node. - // For example, a container with a PID namespace of NODE expects to view - // all of the processes on the host running the kubelet. - NODE = 2; - // TARGET targets the namespace of another container. When this is specified, - // a target_id must be specified in NamespaceOption and refer to a container - // previously created with NamespaceMode CONTAINER. This containers namespace - // will be made to match that of container target_id. - // For example, a container with a PID namespace of TARGET expects to view - // all of the processes that container target_id can view. - TARGET = 3; + // A POD namespace is common to all containers in a pod. + // For example, a container with a PID namespace of POD expects to view + // all of the processes in all of the containers in the pod. + POD = 0; + // A CONTAINER namespace is restricted to a single container. + // For example, a container with a PID namespace of CONTAINER expects to + // view only the processes in that container. + CONTAINER = 1; + // A NODE namespace is the namespace of the Kubernetes node. + // For example, a container with a PID namespace of NODE expects to view + // all of the processes on the host running the kubelet. + NODE = 2; + // TARGET targets the namespace of another container. When this is specified, + // a target_id must be specified in NamespaceOption and refer to a container + // previously created with NamespaceMode CONTAINER. This containers namespace + // will be made to match that of container target_id. + // For example, a container with a PID namespace of TARGET expects to view + // all of the processes that container target_id can view. + TARGET = 3; } // UserNamespace describes the intended user namespace configuration for a pod sandbox. message UserNamespace { - // Mode is the NamespaceMode for this UserNamespace. - // Note: NamespaceMode for UserNamespace currently supports only POD and NODE, not CONTAINER OR TARGET. - NamespaceMode mode = 1; + // Mode is the NamespaceMode for this UserNamespace. + // Note: NamespaceMode for UserNamespace currently supports only POD and NODE, not CONTAINER OR TARGET. + NamespaceMode mode = 1; - // Uids specifies the UID mappings for the user namespace. - repeated IDMapping uids = 2; + // Uids specifies the UID mappings for the user namespace. + repeated IDMapping uids = 2; - // Gids specifies the GID mappings for the user namespace. - repeated IDMapping gids = 3; + // Gids specifies the GID mappings for the user namespace. + repeated IDMapping gids = 3; } // NamespaceOption provides options for Linux namespaces. message NamespaceOption { - // Network namespace for this container/sandbox. - // Note: There is currently no way to set CONTAINER scoped network in the Kubernetes API. - // Namespaces currently set by the kubelet: POD, NODE - NamespaceMode network = 1; - // PID namespace for this container/sandbox. - // Note: The CRI default is POD, but the v1.PodSpec default is CONTAINER. - // The kubelet's runtime manager will set this to CONTAINER explicitly for v1 pods. - // Namespaces currently set by the kubelet: POD, CONTAINER, NODE, TARGET - NamespaceMode pid = 2; - // IPC namespace for this container/sandbox. - // Note: There is currently no way to set CONTAINER scoped IPC in the Kubernetes API. - // Namespaces currently set by the kubelet: POD, NODE - NamespaceMode ipc = 3; - // Target Container ID for NamespaceMode of TARGET. This container must have been - // previously created in the same pod. It is not possible to specify different targets - // for each namespace. - string target_id = 4; - // UsernsOptions for this pod sandbox. - // The Kubelet picks the user namespace configuration to use for the pod sandbox. The mappings - // are specified as part of the UserNamespace struct. If the struct is nil, then the POD mode - // must be assumed. This is done for backward compatibility with older Kubelet versions that - // do not set a user namespace. - UserNamespace userns_options = 5; + // Network namespace for this container/sandbox. + // Note: There is currently no way to set CONTAINER scoped network in the Kubernetes API. + // Namespaces currently set by the kubelet: POD, NODE + NamespaceMode network = 1; + // PID namespace for this container/sandbox. + // Note: The CRI default is POD, but the v1.PodSpec default is CONTAINER. + // The kubelet's runtime manager will set this to CONTAINER explicitly for v1 pods. + // Namespaces currently set by the kubelet: POD, CONTAINER, NODE, TARGET + NamespaceMode pid = 2; + // IPC namespace for this container/sandbox. + // Note: There is currently no way to set CONTAINER scoped IPC in the Kubernetes API. + // Namespaces currently set by the kubelet: POD, NODE + NamespaceMode ipc = 3; + // Target Container ID for NamespaceMode of TARGET. This container must have been + // previously created in the same pod. It is not possible to specify different targets + // for each namespace. + string target_id = 4; + // UsernsOptions for this pod sandbox. + // The Kubelet picks the user namespace configuration to use for the pod sandbox. The mappings + // are specified as part of the UserNamespace struct. If the struct is nil, then the POD mode + // must be assumed. This is done for backward compatibility with older Kubelet versions that + // do not set a user namespace. + UserNamespace userns_options = 5; } // Int64Value is the wrapper of int64. message Int64Value { - // The value. - int64 value = 1; + // The value. + int64 value = 1; } // LinuxSandboxSecurityContext holds linux security configuration that will be // applied to a sandbox. Note that: // 1) It does not apply to containers in the pods. // 2) It may not be applicable to a PodSandbox which does not contain any running -// process. +// process. message LinuxSandboxSecurityContext { - // Configurations for the sandbox's namespaces. - // This will be used only if the PodSandbox uses namespace for isolation. - NamespaceOption namespace_options = 1; - // Optional SELinux context to be applied. - SELinuxOption selinux_options = 2; - // UID to run sandbox processes as, when applicable. - Int64Value run_as_user = 3; - // GID to run sandbox processes as, when applicable. run_as_group should only - // be specified when run_as_user is specified; otherwise, the runtime MUST error. - Int64Value run_as_group = 8; - // If set, the root filesystem of the sandbox is read-only. - bool readonly_rootfs = 4; - // List of groups applied to the first process run in the sandbox, in - // addition to the sandbox's primary GID. - repeated int64 supplemental_groups = 5; - // Indicates whether the sandbox will be asked to run a privileged - // container. If a privileged container is to be executed within it, this - // MUST be true. - // This allows a sandbox to take additional security precautions if no - // privileged containers are expected to be run. - bool privileged = 6; - // Seccomp profile for the sandbox. - SecurityProfile seccomp = 9; - // AppArmor profile for the sandbox. - SecurityProfile apparmor = 10; - // Seccomp profile for the sandbox, candidate values are: - // * runtime/default: the default profile for the container runtime - // * unconfined: unconfined profile, ie, no seccomp sandboxing - // * localhost/: the profile installed on the node. - // is the full path of the profile. - // Default: "", which is identical with unconfined. - string seccomp_profile_path = 7 [deprecated=true]; + // Configurations for the sandbox's namespaces. + // This will be used only if the PodSandbox uses namespace for isolation. + NamespaceOption namespace_options = 1; + // Optional SELinux context to be applied. + SELinuxOption selinux_options = 2; + // UID to run sandbox processes as, when applicable. + Int64Value run_as_user = 3; + // GID to run sandbox processes as, when applicable. run_as_group should only + // be specified when run_as_user is specified; otherwise, the runtime MUST error. + Int64Value run_as_group = 8; + // If set, the root filesystem of the sandbox is read-only. + bool readonly_rootfs = 4; + // List of groups applied to the first process run in the sandbox, in + // addition to the sandbox's primary GID. + repeated int64 supplemental_groups = 5; + // Indicates whether the sandbox will be asked to run a privileged + // container. If a privileged container is to be executed within it, this + // MUST be true. + // This allows a sandbox to take additional security precautions if no + // privileged containers are expected to be run. + bool privileged = 6; + // Seccomp profile for the sandbox. + SecurityProfile seccomp = 9; + // AppArmor profile for the sandbox. + SecurityProfile apparmor = 10; + // Seccomp profile for the sandbox, candidate values are: + // * runtime/default: the default profile for the container runtime + // * unconfined: unconfined profile, ie, no seccomp sandboxing + // * localhost/: the profile installed on the node. + // is the full path of the profile. + // Default: "", which is identical with unconfined. + string seccomp_profile_path = 7 [deprecated=true]; } // A security profile which can be used for sandboxes and containers. message SecurityProfile { - // Available profile types. - enum ProfileType { - // The container runtime default profile should be used. - RuntimeDefault = 0; - // Disable the feature for the sandbox or the container. - Unconfined = 1; - // A pre-defined profile on the node should be used. - Localhost = 2; - } - // Indicator which `ProfileType` should be applied. - ProfileType profile_type = 1; - // Indicates that a pre-defined profile on the node should be used. - // Must only be set if `ProfileType` is `Localhost`. - // For seccomp, it must be an absolute path to the seccomp profile. - // For AppArmor, this field is the AppArmor `/` - string localhost_ref = 2; + // Available profile types. + enum ProfileType { + // The container runtime default profile should be used. + RuntimeDefault = 0; + // Disable the feature for the sandbox or the container. + Unconfined = 1; + // A pre-defined profile on the node should be used. + Localhost = 2; + } + // Indicator which `ProfileType` should be applied. + ProfileType profile_type = 1; + // Indicates that a pre-defined profile on the node should be used. + // Must only be set if `ProfileType` is `Localhost`. + // For seccomp, it must be an absolute path to the seccomp profile. + // For AppArmor, this field is the AppArmor `/` + string localhost_ref = 2; } // LinuxPodSandboxConfig holds platform-specific configurations for Linux // host platforms and Linux-based containers. message LinuxPodSandboxConfig { - // Parent cgroup of the PodSandbox. - // The cgroupfs style syntax will be used, but the container runtime can - // convert it to systemd semantics if needed. - string cgroup_parent = 1; - // LinuxSandboxSecurityContext holds sandbox security attributes. - LinuxSandboxSecurityContext security_context = 2; - // Sysctls holds linux sysctls config for the sandbox. - map sysctls = 3; - // Optional overhead represents the overheads associated with this sandbox - LinuxContainerResources overhead = 4; - // Optional resources represents the sum of container resources for this sandbox - LinuxContainerResources resources = 5; + // Parent cgroup of the PodSandbox. + // The cgroupfs style syntax will be used, but the container runtime can + // convert it to systemd semantics if needed. + string cgroup_parent = 1; + // LinuxSandboxSecurityContext holds sandbox security attributes. + LinuxSandboxSecurityContext security_context = 2; + // Sysctls holds linux sysctls config for the sandbox. + map sysctls = 3; + // Optional overhead represents the overheads associated with this sandbox + LinuxContainerResources overhead = 4; + // Optional resources represents the sum of container resources for this sandbox + LinuxContainerResources resources = 5; } // PodSandboxMetadata holds all necessary information for building the sandbox name. @@ -361,387 +361,387 @@ message LinuxPodSandboxConfig { // PodSandbox in its user interface for better user experience. For example, // the runtime can construct a unique PodSandboxName based on the metadata. message PodSandboxMetadata { - // Pod name of the sandbox. Same as the pod name in the Pod ObjectMeta. - string name = 1; - // Pod UID of the sandbox. Same as the pod UID in the Pod ObjectMeta. - string uid = 2; - // Pod namespace of the sandbox. Same as the pod namespace in the Pod ObjectMeta. - string namespace = 3; - // Attempt number of creating the sandbox. Default: 0. - uint32 attempt = 4; + // Pod name of the sandbox. Same as the pod name in the Pod ObjectMeta. + string name = 1; + // Pod UID of the sandbox. Same as the pod UID in the Pod ObjectMeta. + string uid = 2; + // Pod namespace of the sandbox. Same as the pod namespace in the Pod ObjectMeta. + string namespace = 3; + // Attempt number of creating the sandbox. Default: 0. + uint32 attempt = 4; } // PodSandboxConfig holds all the required and optional fields for creating a // sandbox. message PodSandboxConfig { - // Metadata of the sandbox. This information will uniquely identify the - // sandbox, and the runtime should leverage this to ensure correct - // operation. The runtime may also use this information to improve UX, such - // as by constructing a readable name. - PodSandboxMetadata metadata = 1; - // Hostname of the sandbox. Hostname could only be empty when the pod - // network namespace is NODE. - string hostname = 2; - // Path to the directory on the host in which container log files are - // stored. - // By default the log of a container going into the LogDirectory will be - // hooked up to STDOUT and STDERR. However, the LogDirectory may contain - // binary log files with structured logging data from the individual - // containers. For example, the files might be newline separated JSON - // structured logs, systemd-journald journal files, gRPC trace files, etc. - // E.g., - // PodSandboxConfig.LogDirectory = `/var/log/pods//` - // ContainerConfig.LogPath = `containerName/Instance#.log` - string log_directory = 3; - // DNS config for the sandbox. - DNSConfig dns_config = 4; - // Port mappings for the sandbox. - repeated PortMapping port_mappings = 5; - // Key-value pairs that may be used to scope and select individual resources. - map labels = 6; - // Unstructured key-value map that may be set by the kubelet to store and - // retrieve arbitrary metadata. This will include any annotations set on a - // pod through the Kubernetes API. - // - // Annotations MUST NOT be altered by the runtime; the annotations stored - // here MUST be returned in the PodSandboxStatus associated with the pod - // this PodSandboxConfig creates. - // - // In general, in order to preserve a well-defined interface between the - // kubelet and the container runtime, annotations SHOULD NOT influence - // runtime behaviour. - // - // Annotations can also be useful for runtime authors to experiment with - // new features that are opaque to the Kubernetes APIs (both user-facing - // and the CRI). Whenever possible, however, runtime authors SHOULD - // consider proposing new typed fields for any new features instead. - map annotations = 7; - // Optional configurations specific to Linux hosts. - LinuxPodSandboxConfig linux = 8; - // Optional configurations specific to Windows hosts. - WindowsPodSandboxConfig windows = 9; + // Metadata of the sandbox. This information will uniquely identify the + // sandbox, and the runtime should leverage this to ensure correct + // operation. The runtime may also use this information to improve UX, such + // as by constructing a readable name. + PodSandboxMetadata metadata = 1; + // Hostname of the sandbox. Hostname could only be empty when the pod + // network namespace is NODE. + string hostname = 2; + // Path to the directory on the host in which container log files are + // stored. + // By default the log of a container going into the LogDirectory will be + // hooked up to STDOUT and STDERR. However, the LogDirectory may contain + // binary log files with structured logging data from the individual + // containers. For example, the files might be newline separated JSON + // structured logs, systemd-journald journal files, gRPC trace files, etc. + // E.g., + // PodSandboxConfig.LogDirectory = `/var/log/pods//` + // ContainerConfig.LogPath = `containerName/Instance#.log` + string log_directory = 3; + // DNS config for the sandbox. + DNSConfig dns_config = 4; + // Port mappings for the sandbox. + repeated PortMapping port_mappings = 5; + // Key-value pairs that may be used to scope and select individual resources. + map labels = 6; + // Unstructured key-value map that may be set by the kubelet to store and + // retrieve arbitrary metadata. This will include any annotations set on a + // pod through the Kubernetes API. + // + // Annotations MUST NOT be altered by the runtime; the annotations stored + // here MUST be returned in the PodSandboxStatus associated with the pod + // this PodSandboxConfig creates. + // + // In general, in order to preserve a well-defined interface between the + // kubelet and the container runtime, annotations SHOULD NOT influence + // runtime behaviour. + // + // Annotations can also be useful for runtime authors to experiment with + // new features that are opaque to the Kubernetes APIs (both user-facing + // and the CRI). Whenever possible, however, runtime authors SHOULD + // consider proposing new typed fields for any new features instead. + map annotations = 7; + // Optional configurations specific to Linux hosts. + LinuxPodSandboxConfig linux = 8; + // Optional configurations specific to Windows hosts. + WindowsPodSandboxConfig windows = 9; } message RunPodSandboxRequest { - // Configuration for creating a PodSandbox. - PodSandboxConfig config = 1; - // Named runtime configuration to use for this PodSandbox. - // If the runtime handler is unknown, this request should be rejected. An - // empty string should select the default handler, equivalent to the - // behavior before this feature was added. - // See https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class - string runtime_handler = 2; + // Configuration for creating a PodSandbox. + PodSandboxConfig config = 1; + // Named runtime configuration to use for this PodSandbox. + // If the runtime handler is unknown, this request should be rejected. An + // empty string should select the default handler, equivalent to the + // behavior before this feature was added. + // See https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class + string runtime_handler = 2; } message RunPodSandboxResponse { - // ID of the PodSandbox to run. - string pod_sandbox_id = 1; + // ID of the PodSandbox to run. + string pod_sandbox_id = 1; } message StopPodSandboxRequest { - // ID of the PodSandbox to stop. - string pod_sandbox_id = 1; + // ID of the PodSandbox to stop. + string pod_sandbox_id = 1; } message StopPodSandboxResponse {} message RemovePodSandboxRequest { - // ID of the PodSandbox to remove. - string pod_sandbox_id = 1; + // ID of the PodSandbox to remove. + string pod_sandbox_id = 1; } message RemovePodSandboxResponse {} message PodSandboxStatusRequest { - // ID of the PodSandbox for which to retrieve status. - string pod_sandbox_id = 1; - // Verbose indicates whether to return extra information about the pod sandbox. - bool verbose = 2; + // ID of the PodSandbox for which to retrieve status. + string pod_sandbox_id = 1; + // Verbose indicates whether to return extra information about the pod sandbox. + bool verbose = 2; } // PodIP represents an ip of a Pod message PodIP{ - // an ip is a string representation of an IPv4 or an IPv6 - string ip = 1; + // an ip is a string representation of an IPv4 or an IPv6 + string ip = 1; } // PodSandboxNetworkStatus is the status of the network for a PodSandbox. // Currently ignored for pods sharing the host networking namespace. message PodSandboxNetworkStatus { - // IP address of the PodSandbox. - string ip = 1; - // list of additional ips (not inclusive of PodSandboxNetworkStatus.Ip) of the PodSandBoxNetworkStatus - repeated PodIP additional_ips = 2; + // IP address of the PodSandbox. + string ip = 1; + // list of additional ips (not inclusive of PodSandboxNetworkStatus.Ip) of the PodSandBoxNetworkStatus + repeated PodIP additional_ips = 2; } // Namespace contains paths to the namespaces. message Namespace { - // Namespace options for Linux namespaces. - NamespaceOption options = 2; + // Namespace options for Linux namespaces. + NamespaceOption options = 2; } // LinuxSandboxStatus contains status specific to Linux sandboxes. message LinuxPodSandboxStatus { - // Paths to the sandbox's namespaces. - Namespace namespaces = 1; + // Paths to the sandbox's namespaces. + Namespace namespaces = 1; } enum PodSandboxState { - SANDBOX_READY = 0; - SANDBOX_NOTREADY = 1; + SANDBOX_READY = 0; + SANDBOX_NOTREADY = 1; } // PodSandboxStatus contains the status of the PodSandbox. message PodSandboxStatus { - // ID of the sandbox. - string id = 1; - // Metadata of the sandbox. - PodSandboxMetadata metadata = 2; - // State of the sandbox. - PodSandboxState state = 3; - // Creation timestamp of the sandbox in nanoseconds. Must be > 0. - int64 created_at = 4; - // Network contains network status if network is handled by the runtime. - PodSandboxNetworkStatus network = 5; - // Linux-specific status to a pod sandbox. - LinuxPodSandboxStatus linux = 6; - // Labels are key-value pairs that may be used to scope and select individual resources. - map labels = 7; - // Unstructured key-value map holding arbitrary metadata. - // Annotations MUST NOT be altered by the runtime; the value of this field - // MUST be identical to that of the corresponding PodSandboxConfig used to - // instantiate the pod sandbox this status represents. - map annotations = 8; - // runtime configuration used for this PodSandbox. - string runtime_handler = 9; + // ID of the sandbox. + string id = 1; + // Metadata of the sandbox. + PodSandboxMetadata metadata = 2; + // State of the sandbox. + PodSandboxState state = 3; + // Creation timestamp of the sandbox in nanoseconds. Must be > 0. + int64 created_at = 4; + // Network contains network status if network is handled by the runtime. + PodSandboxNetworkStatus network = 5; + // Linux-specific status to a pod sandbox. + LinuxPodSandboxStatus linux = 6; + // Labels are key-value pairs that may be used to scope and select individual resources. + map labels = 7; + // Unstructured key-value map holding arbitrary metadata. + // Annotations MUST NOT be altered by the runtime; the value of this field + // MUST be identical to that of the corresponding PodSandboxConfig used to + // instantiate the pod sandbox this status represents. + map annotations = 8; + // runtime configuration used for this PodSandbox. + string runtime_handler = 9; } message PodSandboxStatusResponse { - // Status of the PodSandbox. - PodSandboxStatus status = 1; - // Info is extra information of the PodSandbox. The key could be arbitrary string, and - // value should be in json format. The information could include anything useful for - // debug, e.g. network namespace for linux container based container runtime. - // It should only be returned non-empty when Verbose is true. - map info = 2; + // Status of the PodSandbox. + PodSandboxStatus status = 1; + // Info is extra information of the PodSandbox. The key could be arbitrary string, and + // value should be in json format. The information could include anything useful for + // debug, e.g. network namespace for linux container based container runtime. + // It should only be returned non-empty when Verbose is true. + map info = 2; } // PodSandboxStateValue is the wrapper of PodSandboxState. message PodSandboxStateValue { - // State of the sandbox. - PodSandboxState state = 1; + // State of the sandbox. + PodSandboxState state = 1; } // PodSandboxFilter is used to filter a list of PodSandboxes. // All those fields are combined with 'AND' message PodSandboxFilter { - // ID of the sandbox. - string id = 1; - // State of the sandbox. - PodSandboxStateValue state = 2; - // LabelSelector to select matches. - // Only api.MatchLabels is supported for now and the requirements - // are ANDed. MatchExpressions is not supported yet. - map label_selector = 3; + // ID of the sandbox. + string id = 1; + // State of the sandbox. + PodSandboxStateValue state = 2; + // LabelSelector to select matches. + // Only api.MatchLabels is supported for now and the requirements + // are ANDed. MatchExpressions is not supported yet. + map label_selector = 3; } message ListPodSandboxRequest { - // PodSandboxFilter to filter a list of PodSandboxes. - PodSandboxFilter filter = 1; + // PodSandboxFilter to filter a list of PodSandboxes. + PodSandboxFilter filter = 1; } // PodSandbox contains minimal information about a sandbox. message PodSandbox { - // ID of the PodSandbox. - string id = 1; - // Metadata of the PodSandbox. - PodSandboxMetadata metadata = 2; - // State of the PodSandbox. - PodSandboxState state = 3; - // Creation timestamps of the PodSandbox in nanoseconds. Must be > 0. - int64 created_at = 4; - // Labels of the PodSandbox. - map labels = 5; - // Unstructured key-value map holding arbitrary metadata. - // Annotations MUST NOT be altered by the runtime; the value of this field - // MUST be identical to that of the corresponding PodSandboxConfig used to - // instantiate this PodSandbox. - map annotations = 6; - // runtime configuration used for this PodSandbox. - string runtime_handler = 7; + // ID of the PodSandbox. + string id = 1; + // Metadata of the PodSandbox. + PodSandboxMetadata metadata = 2; + // State of the PodSandbox. + PodSandboxState state = 3; + // Creation timestamps of the PodSandbox in nanoseconds. Must be > 0. + int64 created_at = 4; + // Labels of the PodSandbox. + map labels = 5; + // Unstructured key-value map holding arbitrary metadata. + // Annotations MUST NOT be altered by the runtime; the value of this field + // MUST be identical to that of the corresponding PodSandboxConfig used to + // instantiate this PodSandbox. + map annotations = 6; + // runtime configuration used for this PodSandbox. + string runtime_handler = 7; } message ListPodSandboxResponse { - // List of PodSandboxes. - repeated PodSandbox items = 1; + // List of PodSandboxes. + repeated PodSandbox items = 1; } message PodSandboxStatsRequest { - // ID of the pod sandbox for which to retrieve stats. - string pod_sandbox_id = 1; + // ID of the pod sandbox for which to retrieve stats. + string pod_sandbox_id = 1; } message PodSandboxStatsResponse { - PodSandboxStats stats = 1; + PodSandboxStats stats = 1; } // PodSandboxStatsFilter is used to filter the list of pod sandboxes to retrieve stats for. // All those fields are combined with 'AND'. message PodSandboxStatsFilter { - // ID of the pod sandbox. - string id = 1; - // LabelSelector to select matches. - // Only api.MatchLabels is supported for now and the requirements - // are ANDed. MatchExpressions is not supported yet. - map label_selector = 2; + // ID of the pod sandbox. + string id = 1; + // LabelSelector to select matches. + // Only api.MatchLabels is supported for now and the requirements + // are ANDed. MatchExpressions is not supported yet. + map label_selector = 2; } message ListPodSandboxStatsRequest { - // Filter for the list request. - PodSandboxStatsFilter filter = 1; + // Filter for the list request. + PodSandboxStatsFilter filter = 1; } message ListPodSandboxStatsResponse { - // Stats of the pod sandbox. - repeated PodSandboxStats stats = 1; + // Stats of the pod sandbox. + repeated PodSandboxStats stats = 1; } // PodSandboxAttributes provides basic information of the pod sandbox. message PodSandboxAttributes { - // ID of the pod sandbox. - string id = 1; - // Metadata of the pod sandbox. - PodSandboxMetadata metadata = 2; - // Key-value pairs that may be used to scope and select individual resources. - map labels = 3; - // Unstructured key-value map holding arbitrary metadata. - // Annotations MUST NOT be altered by the runtime; the value of this field - // MUST be identical to that of the corresponding PodSandboxStatus used to - // instantiate the PodSandbox this status represents. - map annotations = 4; + // ID of the pod sandbox. + string id = 1; + // Metadata of the pod sandbox. + PodSandboxMetadata metadata = 2; + // Key-value pairs that may be used to scope and select individual resources. + map labels = 3; + // Unstructured key-value map holding arbitrary metadata. + // Annotations MUST NOT be altered by the runtime; the value of this field + // MUST be identical to that of the corresponding PodSandboxStatus used to + // instantiate the PodSandbox this status represents. + map annotations = 4; } // PodSandboxStats provides the resource usage statistics for a pod. // The linux or windows field will be populated depending on the platform. message PodSandboxStats { - // Information of the pod. - PodSandboxAttributes attributes = 1; - // Stats from linux. - LinuxPodSandboxStats linux = 2; - // Stats from windows. - WindowsPodSandboxStats windows = 3; + // Information of the pod. + PodSandboxAttributes attributes = 1; + // Stats from linux. + LinuxPodSandboxStats linux = 2; + // Stats from windows. + WindowsPodSandboxStats windows = 3; } // LinuxPodSandboxStats provides the resource usage statistics for a pod sandbox on linux. message LinuxPodSandboxStats { - // CPU usage gathered for the pod sandbox. - CpuUsage cpu = 1; - // Memory usage gathered for the pod sandbox. - MemoryUsage memory = 2; - // Network usage gathered for the pod sandbox - NetworkUsage network = 3; - // Stats pertaining to processes in the pod sandbox. - ProcessUsage process = 4; - // Stats of containers in the measured pod sandbox. - repeated ContainerStats containers = 5; + // CPU usage gathered for the pod sandbox. + CpuUsage cpu = 1; + // Memory usage gathered for the pod sandbox. + MemoryUsage memory = 2; + // Network usage gathered for the pod sandbox + NetworkUsage network = 3; + // Stats pertaining to processes in the pod sandbox. + ProcessUsage process = 4; + // Stats of containers in the measured pod sandbox. + repeated ContainerStats containers = 5; } // WindowsPodSandboxStats provides the resource usage statistics for a pod sandbox on windows message WindowsPodSandboxStats { - // TODO: Add stats relevant to windows. + // TODO: Add stats relevant to windows. } // NetworkUsage contains data about network resources. message NetworkUsage { - // The time at which these stats were updated. - int64 timestamp = 1; - // Stats for the default network interface. - NetworkInterfaceUsage default_interface = 2; - // Stats for all found network interfaces, excluding the default. - repeated NetworkInterfaceUsage interfaces = 3; + // The time at which these stats were updated. + int64 timestamp = 1; + // Stats for the default network interface. + NetworkInterfaceUsage default_interface = 2; + // Stats for all found network interfaces, excluding the default. + repeated NetworkInterfaceUsage interfaces = 3; } // NetworkInterfaceUsage contains resource value data about a network interface. message NetworkInterfaceUsage { - // The name of the network interface. - string name = 1; - // Cumulative count of bytes received. - UInt64Value rx_bytes = 2; - // Cumulative count of receive errors encountered. - UInt64Value rx_errors = 3; - // Cumulative count of bytes transmitted. - UInt64Value tx_bytes = 4; - // Cumulative count of transmit errors encountered. - UInt64Value tx_errors = 5; + // The name of the network interface. + string name = 1; + // Cumulative count of bytes received. + UInt64Value rx_bytes = 2; + // Cumulative count of receive errors encountered. + UInt64Value rx_errors = 3; + // Cumulative count of bytes transmitted. + UInt64Value tx_bytes = 4; + // Cumulative count of transmit errors encountered. + UInt64Value tx_errors = 5; } // ProcessUsage are stats pertaining to processes. message ProcessUsage { - // The time at which these stats were updated. - int64 timestamp = 1; - // Number of processes. - UInt64Value process_count = 2; + // The time at which these stats were updated. + int64 timestamp = 1; + // Number of processes. + UInt64Value process_count = 2; } // ImageSpec is an internal representation of an image. message ImageSpec { - // Container's Image field (e.g. imageID or imageDigest). - string image = 1; - // Unstructured key-value map holding arbitrary metadata. - // ImageSpec Annotations can be used to help the runtime target specific - // images in multi-arch images. - map annotations = 2; + // Container's Image field (e.g. imageID or imageDigest). + string image = 1; + // Unstructured key-value map holding arbitrary metadata. + // ImageSpec Annotations can be used to help the runtime target specific + // images in multi-arch images. + map annotations = 2; } message KeyValue { - string key = 1; - string value = 2; + string key = 1; + string value = 2; } // LinuxContainerResources specifies Linux specific configuration for // resources. message LinuxContainerResources { - // CPU CFS (Completely Fair Scheduler) period. Default: 0 (not specified). - int64 cpu_period = 1; - // CPU CFS (Completely Fair Scheduler) quota. Default: 0 (not specified). - int64 cpu_quota = 2; - // CPU shares (relative weight vs. other containers). Default: 0 (not specified). - int64 cpu_shares = 3; - // Memory limit in bytes. Default: 0 (not specified). - int64 memory_limit_in_bytes = 4; - // OOMScoreAdj adjusts the oom-killer score. Default: 0 (not specified). - int64 oom_score_adj = 5; - // CpusetCpus constrains the allowed set of logical CPUs. Default: "" (not specified). - string cpuset_cpus = 6; - // CpusetMems constrains the allowed set of memory nodes. Default: "" (not specified). - string cpuset_mems = 7; - // List of HugepageLimits to limit the HugeTLB usage of container per page size. Default: nil (not specified). - repeated HugepageLimit hugepage_limits = 8; - // Unified resources for cgroup v2. Default: nil (not specified). - // Each key/value in the map refers to the cgroup v2. - // e.g. "memory.max": "6937202688" or "io.weight": "default 100". - map unified = 9; - // Memory swap limit in bytes. Default 0 (not specified). - int64 memory_swap_limit_in_bytes = 10; + // CPU CFS (Completely Fair Scheduler) period. Default: 0 (not specified). + int64 cpu_period = 1; + // CPU CFS (Completely Fair Scheduler) quota. Default: 0 (not specified). + int64 cpu_quota = 2; + // CPU shares (relative weight vs. other containers). Default: 0 (not specified). + int64 cpu_shares = 3; + // Memory limit in bytes. Default: 0 (not specified). + int64 memory_limit_in_bytes = 4; + // OOMScoreAdj adjusts the oom-killer score. Default: 0 (not specified). + int64 oom_score_adj = 5; + // CpusetCpus constrains the allowed set of logical CPUs. Default: "" (not specified). + string cpuset_cpus = 6; + // CpusetMems constrains the allowed set of memory nodes. Default: "" (not specified). + string cpuset_mems = 7; + // List of HugepageLimits to limit the HugeTLB usage of container per page size. Default: nil (not specified). + repeated HugepageLimit hugepage_limits = 8; + // Unified resources for cgroup v2. Default: nil (not specified). + // Each key/value in the map refers to the cgroup v2. + // e.g. "memory.max": "6937202688" or "io.weight": "default 100". + map unified = 9; + // Memory swap limit in bytes. Default 0 (not specified). + int64 memory_swap_limit_in_bytes = 10; } // HugepageLimit corresponds to the file`hugetlb..limit_in_byte` in container level cgroup. // For example, `PageSize=1GB`, `Limit=1073741824` means setting `1073741824` bytes to hugetlb.1GB.limit_in_bytes. message HugepageLimit { - // The value of PageSize has the format B (2MB, 1GB), - // and must match the of the corresponding control file found in `hugetlb..limit_in_bytes`. - // The values of are intended to be parsed using base 1024("1KB" = 1024, "1MB" = 1048576, etc). - string page_size = 1; - // limit in bytes of hugepagesize HugeTLB usage. - uint64 limit = 2; + // The value of PageSize has the format B (2MB, 1GB), + // and must match the of the corresponding control file found in `hugetlb..limit_in_bytes`. + // The values of are intended to be parsed using base 1024("1KB" = 1024, "1MB" = 1048576, etc). + string page_size = 1; + // limit in bytes of hugepagesize HugeTLB usage. + uint64 limit = 2; } // SELinuxOption are the labels to be applied to the container. message SELinuxOption { - string user = 1; - string role = 2; - string type = 3; - string level = 4; + string user = 1; + string role = 2; + string type = 3; + string level = 4; } // Capability contains the container capabilities to add or drop @@ -753,154 +753,154 @@ message SELinuxOption { // If a capability is added to add_capabilities and add_ambient_capabilities lists then it gets added to all sets, i.e. // permitted, inheritable, effective, bounding and ambient sets. message Capability { - // List of capabilities to add. - repeated string add_capabilities = 1; - // List of capabilities to drop. - repeated string drop_capabilities = 2; - // List of ambient capabilities to add. - repeated string add_ambient_capabilities = 3; + // List of capabilities to add. + repeated string add_capabilities = 1; + // List of capabilities to drop. + repeated string drop_capabilities = 2; + // List of ambient capabilities to add. + repeated string add_ambient_capabilities = 3; } // LinuxContainerSecurityContext holds linux security configuration that will be applied to a container. message LinuxContainerSecurityContext { - // Capabilities to add or drop. - Capability capabilities = 1; - // If set, run container in privileged mode. - // Privileged mode is incompatible with the following options. If - // privileged is set, the following features MAY have no effect: - // 1. capabilities - // 2. selinux_options - // 4. seccomp - // 5. apparmor - // - // Privileged mode implies the following specific options are applied: - // 1. All capabilities are added. - // 2. Sensitive paths, such as kernel module paths within sysfs, are not masked. - // 3. Any sysfs and procfs mounts are mounted RW. - // 4. AppArmor confinement is not applied. - // 5. Seccomp restrictions are not applied. - // 6. The device cgroup does not restrict access to any devices. - // 7. All devices from the host's /dev are available within the container. - // 8. SELinux restrictions are not applied (e.g. label=disabled). - bool privileged = 2; - // Configurations for the container's namespaces. - // Only used if the container uses namespace for isolation. - NamespaceOption namespace_options = 3; - // SELinux context to be optionally applied. - SELinuxOption selinux_options = 4; - // UID to run the container process as. Only one of run_as_user and - // run_as_username can be specified at a time. - Int64Value run_as_user = 5; - // GID to run the container process as. run_as_group should only be specified - // when run_as_user or run_as_username is specified; otherwise, the runtime - // MUST error. - Int64Value run_as_group = 12; - // User name to run the container process as. If specified, the user MUST - // exist in the container image (i.e. in the /etc/passwd inside the image), - // and be resolved there by the runtime; otherwise, the runtime MUST error. - string run_as_username = 6; - // If set, the root filesystem of the container is read-only. - bool readonly_rootfs = 7; - // List of groups applied to the first process run in the container, in - // addition to the container's primary GID. - repeated int64 supplemental_groups = 8; - // no_new_privs defines if the flag for no_new_privs should be set on the - // container. - bool no_new_privs = 11; - // masked_paths is a slice of paths that should be masked by the container - // runtime, this can be passed directly to the OCI spec. - repeated string masked_paths = 13; - // readonly_paths is a slice of paths that should be set as readonly by the - // container runtime, this can be passed directly to the OCI spec. - repeated string readonly_paths = 14; - // Seccomp profile for the container. - SecurityProfile seccomp = 15; - // AppArmor profile for the container. - SecurityProfile apparmor = 16; - // AppArmor profile for the container, candidate values are: - // * runtime/default: equivalent to not specifying a profile. - // * unconfined: no profiles are loaded - // * localhost/: profile loaded on the node - // (localhost) by name. The possible profile names are detailed at - // https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference - string apparmor_profile = 9 [deprecated=true]; - // Seccomp profile for the container, candidate values are: - // * runtime/default: the default profile for the container runtime - // * unconfined: unconfined profile, ie, no seccomp sandboxing - // * localhost/: the profile installed on the node. - // is the full path of the profile. - // Default: "", which is identical with unconfined. - string seccomp_profile_path = 10 [deprecated=true]; + // Capabilities to add or drop. + Capability capabilities = 1; + // If set, run container in privileged mode. + // Privileged mode is incompatible with the following options. If + // privileged is set, the following features MAY have no effect: + // 1. capabilities + // 2. selinux_options + // 4. seccomp + // 5. apparmor + // + // Privileged mode implies the following specific options are applied: + // 1. All capabilities are added. + // 2. Sensitive paths, such as kernel module paths within sysfs, are not masked. + // 3. Any sysfs and procfs mounts are mounted RW. + // 4. AppArmor confinement is not applied. + // 5. Seccomp restrictions are not applied. + // 6. The device cgroup does not restrict access to any devices. + // 7. All devices from the host's /dev are available within the container. + // 8. SELinux restrictions are not applied (e.g. label=disabled). + bool privileged = 2; + // Configurations for the container's namespaces. + // Only used if the container uses namespace for isolation. + NamespaceOption namespace_options = 3; + // SELinux context to be optionally applied. + SELinuxOption selinux_options = 4; + // UID to run the container process as. Only one of run_as_user and + // run_as_username can be specified at a time. + Int64Value run_as_user = 5; + // GID to run the container process as. run_as_group should only be specified + // when run_as_user or run_as_username is specified; otherwise, the runtime + // MUST error. + Int64Value run_as_group = 12; + // User name to run the container process as. If specified, the user MUST + // exist in the container image (i.e. in the /etc/passwd inside the image), + // and be resolved there by the runtime; otherwise, the runtime MUST error. + string run_as_username = 6; + // If set, the root filesystem of the container is read-only. + bool readonly_rootfs = 7; + // List of groups applied to the first process run in the container, in + // addition to the container's primary GID. + repeated int64 supplemental_groups = 8; + // no_new_privs defines if the flag for no_new_privs should be set on the + // container. + bool no_new_privs = 11; + // masked_paths is a slice of paths that should be masked by the container + // runtime, this can be passed directly to the OCI spec. + repeated string masked_paths = 13; + // readonly_paths is a slice of paths that should be set as readonly by the + // container runtime, this can be passed directly to the OCI spec. + repeated string readonly_paths = 14; + // Seccomp profile for the container. + SecurityProfile seccomp = 15; + // AppArmor profile for the container. + SecurityProfile apparmor = 16; + // AppArmor profile for the container, candidate values are: + // * runtime/default: equivalent to not specifying a profile. + // * unconfined: no profiles are loaded + // * localhost/: profile loaded on the node + // (localhost) by name. The possible profile names are detailed at + // https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference + string apparmor_profile = 9 [deprecated=true]; + // Seccomp profile for the container, candidate values are: + // * runtime/default: the default profile for the container runtime + // * unconfined: unconfined profile, ie, no seccomp sandboxing + // * localhost/: the profile installed on the node. + // is the full path of the profile. + // Default: "", which is identical with unconfined. + string seccomp_profile_path = 10 [deprecated=true]; } // LinuxContainerConfig contains platform-specific configuration for // Linux-based containers. message LinuxContainerConfig { - // Resources specification for the container. - LinuxContainerResources resources = 1; - // LinuxContainerSecurityContext configuration for the container. - LinuxContainerSecurityContext security_context = 2; + // Resources specification for the container. + LinuxContainerResources resources = 1; + // LinuxContainerSecurityContext configuration for the container. + LinuxContainerSecurityContext security_context = 2; } // WindowsSandboxSecurityContext holds platform-specific configurations that will be // applied to a sandbox. // These settings will only apply to the sandbox container. message WindowsSandboxSecurityContext { - // User name to run the container process as. If specified, the user MUST - // exist in the container image and be resolved there by the runtime; - // otherwise, the runtime MUST return error. - string run_as_username = 1; + // User name to run the container process as. If specified, the user MUST + // exist in the container image and be resolved there by the runtime; + // otherwise, the runtime MUST return error. + string run_as_username = 1; - // The contents of the GMSA credential spec to use to run this container. - string credential_spec = 2; + // The contents of the GMSA credential spec to use to run this container. + string credential_spec = 2; - // Indicates whether the container requested to run as a HostProcess container. - bool host_process = 3; + // Indicates whether the container requested to run as a HostProcess container. + bool host_process = 3; } // WindowsPodSandboxConfig holds platform-specific configurations for Windows // host platforms and Windows-based containers. message WindowsPodSandboxConfig { - // WindowsSandboxSecurityContext holds sandbox security attributes. - WindowsSandboxSecurityContext security_context = 1; + // WindowsSandboxSecurityContext holds sandbox security attributes. + WindowsSandboxSecurityContext security_context = 1; } // WindowsContainerSecurityContext holds windows security configuration that will be applied to a container. message WindowsContainerSecurityContext { - // User name to run the container process as. If specified, the user MUST - // exist in the container image and be resolved there by the runtime; - // otherwise, the runtime MUST return error. - string run_as_username = 1; + // User name to run the container process as. If specified, the user MUST + // exist in the container image and be resolved there by the runtime; + // otherwise, the runtime MUST return error. + string run_as_username = 1; - // The contents of the GMSA credential spec to use to run this container. - string credential_spec = 2; + // The contents of the GMSA credential spec to use to run this container. + string credential_spec = 2; - // Indicates whether a container is to be run as a HostProcess container. - bool host_process = 3; + // Indicates whether a container is to be run as a HostProcess container. + bool host_process = 3; } // WindowsContainerConfig contains platform-specific configuration for // Windows-based containers. message WindowsContainerConfig { - // Resources specification for the container. - WindowsContainerResources resources = 1; - // WindowsContainerSecurityContext configuration for the container. - WindowsContainerSecurityContext security_context = 2; + // Resources specification for the container. + WindowsContainerResources resources = 1; + // WindowsContainerSecurityContext configuration for the container. + WindowsContainerSecurityContext security_context = 2; } // WindowsContainerResources specifies Windows specific configuration for // resources. message WindowsContainerResources { - // CPU shares (relative weight vs. other containers). Default: 0 (not specified). - int64 cpu_shares = 1; - // Number of CPUs available to the container. Default: 0 (not specified). - int64 cpu_count = 2; - // Specifies the portion of processor cycles that this container can use as a percentage times 100. - int64 cpu_maximum = 3; - // Memory limit in bytes. Default: 0 (not specified). - int64 memory_limit_in_bytes = 4; - // Specifies the size of the rootfs / scratch space in bytes to be configured for this container. Default: 0 (not specified). - int64 rootfs_size_in_bytes = 5; + // CPU shares (relative weight vs. other containers). Default: 0 (not specified). + int64 cpu_shares = 1; + // Number of CPUs available to the container. Default: 0 (not specified). + int64 cpu_count = 2; + // Specifies the portion of processor cycles that this container can use as a percentage times 100. + int64 cpu_maximum = 3; + // Memory limit in bytes. Default: 0 (not specified). + int64 memory_limit_in_bytes = 4; + // Specifies the size of the rootfs / scratch space in bytes to be configured for this container. Default: 0 (not specified). + int64 rootfs_size_in_bytes = 5; } // ContainerMetadata holds all necessary information for building the container @@ -909,461 +909,461 @@ message WindowsContainerResources { // container name based on the metadata. Note that (name, attempt) is unique // within a sandbox for the entire lifetime of the sandbox. message ContainerMetadata { - // Name of the container. Same as the container name in the PodSpec. - string name = 1; - // Attempt number of creating the container. Default: 0. - uint32 attempt = 2; + // Name of the container. Same as the container name in the PodSpec. + string name = 1; + // Attempt number of creating the container. Default: 0. + uint32 attempt = 2; } // Device specifies a host device to mount into a container. message Device { - // Path of the device within the container. - string container_path = 1; - // Path of the device on the host. - string host_path = 2; - // Cgroups permissions of the device, candidates are one or more of - // * r - allows container to read from the specified device. - // * w - allows container to write to the specified device. - // * m - allows container to create device files that do not yet exist. - string permissions = 3; + // Path of the device within the container. + string container_path = 1; + // Path of the device on the host. + string host_path = 2; + // Cgroups permissions of the device, candidates are one or more of + // * r - allows container to read from the specified device. + // * w - allows container to write to the specified device. + // * m - allows container to create device files that do not yet exist. + string permissions = 3; } // ContainerConfig holds all the required and optional fields for creating a // container. message ContainerConfig { - // Metadata of the container. This information will uniquely identify the - // container, and the runtime should leverage this to ensure correct - // operation. The runtime may also use this information to improve UX, such - // as by constructing a readable name. - ContainerMetadata metadata = 1 ; - // Image to use. - ImageSpec image = 2; - // Command to execute (i.e., entrypoint for docker) - repeated string command = 3; - // Args for the Command (i.e., command for docker) - repeated string args = 4; - // Current working directory of the command. - string working_dir = 5; - // List of environment variable to set in the container. - repeated KeyValue envs = 6; - // Mounts for the container. - repeated Mount mounts = 7; - // Devices for the container. - repeated Device devices = 8; - // Key-value pairs that may be used to scope and select individual resources. - // Label keys are of the form: - // label-key ::= prefixed-name | name - // prefixed-name ::= prefix '/' name - // prefix ::= DNS_SUBDOMAIN - // name ::= DNS_LABEL - map labels = 9; - // Unstructured key-value map that may be used by the kubelet to store and - // retrieve arbitrary metadata. - // - // Annotations MUST NOT be altered by the runtime; the annotations stored - // here MUST be returned in the ContainerStatus associated with the container - // this ContainerConfig creates. - // - // In general, in order to preserve a well-defined interface between the - // kubelet and the container runtime, annotations SHOULD NOT influence - // runtime behaviour. - map annotations = 10; - // Path relative to PodSandboxConfig.LogDirectory for container to store - // the log (STDOUT and STDERR) on the host. - // E.g., - // PodSandboxConfig.LogDirectory = `/var/log/pods//` - // ContainerConfig.LogPath = `containerName/Instance#.log` - // - // WARNING: Log management and how kubelet should interface with the - // container logs are under active discussion in - // https://issues.k8s.io/24677. There *may* be future change of direction - // for logging as the discussion carries on. - string log_path = 11; + // Metadata of the container. This information will uniquely identify the + // container, and the runtime should leverage this to ensure correct + // operation. The runtime may also use this information to improve UX, such + // as by constructing a readable name. + ContainerMetadata metadata = 1 ; + // Image to use. + ImageSpec image = 2; + // Command to execute (i.e., entrypoint for docker) + repeated string command = 3; + // Args for the Command (i.e., command for docker) + repeated string args = 4; + // Current working directory of the command. + string working_dir = 5; + // List of environment variable to set in the container. + repeated KeyValue envs = 6; + // Mounts for the container. + repeated Mount mounts = 7; + // Devices for the container. + repeated Device devices = 8; + // Key-value pairs that may be used to scope and select individual resources. + // Label keys are of the form: + // label-key ::= prefixed-name | name + // prefixed-name ::= prefix '/' name + // prefix ::= DNS_SUBDOMAIN + // name ::= DNS_LABEL + map labels = 9; + // Unstructured key-value map that may be used by the kubelet to store and + // retrieve arbitrary metadata. + // + // Annotations MUST NOT be altered by the runtime; the annotations stored + // here MUST be returned in the ContainerStatus associated with the container + // this ContainerConfig creates. + // + // In general, in order to preserve a well-defined interface between the + // kubelet and the container runtime, annotations SHOULD NOT influence + // runtime behaviour. + map annotations = 10; + // Path relative to PodSandboxConfig.LogDirectory for container to store + // the log (STDOUT and STDERR) on the host. + // E.g., + // PodSandboxConfig.LogDirectory = `/var/log/pods//` + // ContainerConfig.LogPath = `containerName/Instance#.log` + // + // WARNING: Log management and how kubelet should interface with the + // container logs are under active discussion in + // https://issues.k8s.io/24677. There *may* be future change of direction + // for logging as the discussion carries on. + string log_path = 11; - // Variables for interactive containers, these have very specialized - // use-cases (e.g. debugging). - bool stdin = 12; - bool stdin_once = 13; - bool tty = 14; + // Variables for interactive containers, these have very specialized + // use-cases (e.g. debugging). + bool stdin = 12; + bool stdin_once = 13; + bool tty = 14; - // Configuration specific to Linux containers. - LinuxContainerConfig linux = 15; - // Configuration specific to Windows containers. - WindowsContainerConfig windows = 16; + // Configuration specific to Linux containers. + LinuxContainerConfig linux = 15; + // Configuration specific to Windows containers. + WindowsContainerConfig windows = 16; } message CreateContainerRequest { - // ID of the PodSandbox in which the container should be created. - string pod_sandbox_id = 1; - // Config of the container. - ContainerConfig config = 2; - // Config of the PodSandbox. This is the same config that was passed - // to RunPodSandboxRequest to create the PodSandbox. It is passed again - // here just for easy reference. The PodSandboxConfig is immutable and - // remains the same throughout the lifetime of the pod. - PodSandboxConfig sandbox_config = 3; + // ID of the PodSandbox in which the container should be created. + string pod_sandbox_id = 1; + // Config of the container. + ContainerConfig config = 2; + // Config of the PodSandbox. This is the same config that was passed + // to RunPodSandboxRequest to create the PodSandbox. It is passed again + // here just for easy reference. The PodSandboxConfig is immutable and + // remains the same throughout the lifetime of the pod. + PodSandboxConfig sandbox_config = 3; } message CreateContainerResponse { - // ID of the created container. - string container_id = 1; + // ID of the created container. + string container_id = 1; } message StartContainerRequest { - // ID of the container to start. - string container_id = 1; + // ID of the container to start. + string container_id = 1; } message StartContainerResponse {} message StopContainerRequest { - // ID of the container to stop. - string container_id = 1; - // Timeout in seconds to wait for the container to stop before forcibly - // terminating it. Default: 0 (forcibly terminate the container immediately) - int64 timeout = 2; + // ID of the container to stop. + string container_id = 1; + // Timeout in seconds to wait for the container to stop before forcibly + // terminating it. Default: 0 (forcibly terminate the container immediately) + int64 timeout = 2; } message StopContainerResponse {} message RemoveContainerRequest { - // ID of the container to remove. - string container_id = 1; + // ID of the container to remove. + string container_id = 1; } message RemoveContainerResponse {} enum ContainerState { - CONTAINER_CREATED = 0; - CONTAINER_RUNNING = 1; - CONTAINER_EXITED = 2; - CONTAINER_UNKNOWN = 3; + CONTAINER_CREATED = 0; + CONTAINER_RUNNING = 1; + CONTAINER_EXITED = 2; + CONTAINER_UNKNOWN = 3; } // ContainerStateValue is the wrapper of ContainerState. message ContainerStateValue { - // State of the container. - ContainerState state = 1; + // State of the container. + ContainerState state = 1; } // ContainerFilter is used to filter containers. // All those fields are combined with 'AND' message ContainerFilter { - // ID of the container. - string id = 1; - // State of the container. - ContainerStateValue state = 2; - // ID of the PodSandbox. - string pod_sandbox_id = 3; - // LabelSelector to select matches. - // Only api.MatchLabels is supported for now and the requirements - // are ANDed. MatchExpressions is not supported yet. - map label_selector = 4; + // ID of the container. + string id = 1; + // State of the container. + ContainerStateValue state = 2; + // ID of the PodSandbox. + string pod_sandbox_id = 3; + // LabelSelector to select matches. + // Only api.MatchLabels is supported for now and the requirements + // are ANDed. MatchExpressions is not supported yet. + map label_selector = 4; } message ListContainersRequest { - ContainerFilter filter = 1; + ContainerFilter filter = 1; } // Container provides the runtime information for a container, such as ID, hash, // state of the container. message Container { - // ID of the container, used by the container runtime to identify - // a container. - string id = 1; - // ID of the sandbox to which this container belongs. - string pod_sandbox_id = 2; - // Metadata of the container. - ContainerMetadata metadata = 3; - // Spec of the image. - ImageSpec image = 4; - // Reference to the image in use. For most runtimes, this should be an - // image ID. - string image_ref = 5; - // State of the container. - ContainerState state = 6; - // Creation time of the container in nanoseconds. - int64 created_at = 7; - // Key-value pairs that may be used to scope and select individual resources. - map labels = 8; - // Unstructured key-value map holding arbitrary metadata. - // Annotations MUST NOT be altered by the runtime; the value of this field - // MUST be identical to that of the corresponding ContainerConfig used to - // instantiate this Container. - map annotations = 9; + // ID of the container, used by the container runtime to identify + // a container. + string id = 1; + // ID of the sandbox to which this container belongs. + string pod_sandbox_id = 2; + // Metadata of the container. + ContainerMetadata metadata = 3; + // Spec of the image. + ImageSpec image = 4; + // Reference to the image in use. For most runtimes, this should be an + // image ID. + string image_ref = 5; + // State of the container. + ContainerState state = 6; + // Creation time of the container in nanoseconds. + int64 created_at = 7; + // Key-value pairs that may be used to scope and select individual resources. + map labels = 8; + // Unstructured key-value map holding arbitrary metadata. + // Annotations MUST NOT be altered by the runtime; the value of this field + // MUST be identical to that of the corresponding ContainerConfig used to + // instantiate this Container. + map annotations = 9; } message ListContainersResponse { - // List of containers. - repeated Container containers = 1; + // List of containers. + repeated Container containers = 1; } message ContainerStatusRequest { - // ID of the container for which to retrieve status. - string container_id = 1; - // Verbose indicates whether to return extra information about the container. - bool verbose = 2; + // ID of the container for which to retrieve status. + string container_id = 1; + // Verbose indicates whether to return extra information about the container. + bool verbose = 2; } // ContainerStatus represents the status of a container. message ContainerStatus { - // ID of the container. - string id = 1; - // Metadata of the container. - ContainerMetadata metadata = 2; - // Status of the container. - ContainerState state = 3; - // Creation time of the container in nanoseconds. - int64 created_at = 4; - // Start time of the container in nanoseconds. Default: 0 (not specified). - int64 started_at = 5; - // Finish time of the container in nanoseconds. Default: 0 (not specified). - int64 finished_at = 6; - // Exit code of the container. Only required when finished_at != 0. Default: 0. - int32 exit_code = 7; - // Spec of the image. - ImageSpec image = 8; - // Reference to the image in use. For most runtimes, this should be an - // image ID - string image_ref = 9; - // Brief CamelCase string explaining why container is in its current state. - string reason = 10; - // Human-readable message indicating details about why container is in its - // current state. - string message = 11; - // Key-value pairs that may be used to scope and select individual resources. - map labels = 12; - // Unstructured key-value map holding arbitrary metadata. - // Annotations MUST NOT be altered by the runtime; the value of this field - // MUST be identical to that of the corresponding ContainerConfig used to - // instantiate the Container this status represents. - map annotations = 13; - // Mounts for the container. - repeated Mount mounts = 14; - // Log path of container. - string log_path = 15; - // Resource limits configuration of the container. - ContainerResources resources = 16; + // ID of the container. + string id = 1; + // Metadata of the container. + ContainerMetadata metadata = 2; + // Status of the container. + ContainerState state = 3; + // Creation time of the container in nanoseconds. + int64 created_at = 4; + // Start time of the container in nanoseconds. Default: 0 (not specified). + int64 started_at = 5; + // Finish time of the container in nanoseconds. Default: 0 (not specified). + int64 finished_at = 6; + // Exit code of the container. Only required when finished_at != 0. Default: 0. + int32 exit_code = 7; + // Spec of the image. + ImageSpec image = 8; + // Reference to the image in use. For most runtimes, this should be an + // image ID + string image_ref = 9; + // Brief CamelCase string explaining why container is in its current state. + string reason = 10; + // Human-readable message indicating details about why container is in its + // current state. + string message = 11; + // Key-value pairs that may be used to scope and select individual resources. + map labels = 12; + // Unstructured key-value map holding arbitrary metadata. + // Annotations MUST NOT be altered by the runtime; the value of this field + // MUST be identical to that of the corresponding ContainerConfig used to + // instantiate the Container this status represents. + map annotations = 13; + // Mounts for the container. + repeated Mount mounts = 14; + // Log path of container. + string log_path = 15; + // Resource limits configuration of the container. + ContainerResources resources = 16; } message ContainerStatusResponse { - // Status of the container. - ContainerStatus status = 1; - // Info is extra information of the Container. The key could be arbitrary string, and - // value should be in json format. The information could include anything useful for - // debug, e.g. pid for linux container based container runtime. - // It should only be returned non-empty when Verbose is true. - map info = 2; + // Status of the container. + ContainerStatus status = 1; + // Info is extra information of the Container. The key could be arbitrary string, and + // value should be in json format. The information could include anything useful for + // debug, e.g. pid for linux container based container runtime. + // It should only be returned non-empty when Verbose is true. + map info = 2; } // ContainerResources holds resource limits configuration for a container. message ContainerResources { - // Resource limits configuration specific to Linux container. - LinuxContainerResources linux = 1; - // Resource limits configuration specific to Windows container. - WindowsContainerResources windows = 2; + // Resource limits configuration specific to Linux container. + LinuxContainerResources linux = 1; + // Resource limits configuration specific to Windows container. + WindowsContainerResources windows = 2; } message UpdateContainerResourcesRequest { - // ID of the container to update. - string container_id = 1; - // Resource configuration specific to Linux containers. - LinuxContainerResources linux = 2; - // Resource configuration specific to Windows containers. - WindowsContainerResources windows = 3; - // Unstructured key-value map holding arbitrary additional information for - // container resources updating. This can be used for specifying experimental - // resources to update or other options to use when updating the container. - map annotations = 4; + // ID of the container to update. + string container_id = 1; + // Resource configuration specific to Linux containers. + LinuxContainerResources linux = 2; + // Resource configuration specific to Windows containers. + WindowsContainerResources windows = 3; + // Unstructured key-value map holding arbitrary additional information for + // container resources updating. This can be used for specifying experimental + // resources to update or other options to use when updating the container. + map annotations = 4; } message UpdateContainerResourcesResponse {} message ExecSyncRequest { - // ID of the container. - string container_id = 1; - // Command to execute. - repeated string cmd = 2; - // Timeout in seconds to stop the command. Default: 0 (run forever). - int64 timeout = 3; + // ID of the container. + string container_id = 1; + // Command to execute. + repeated string cmd = 2; + // Timeout in seconds to stop the command. Default: 0 (run forever). + int64 timeout = 3; } message ExecSyncResponse { - // Captured command stdout output. - bytes stdout = 1; - // Captured command stderr output. - bytes stderr = 2; - // Exit code the command finished with. Default: 0 (success). - int32 exit_code = 3; + // Captured command stdout output. + bytes stdout = 1; + // Captured command stderr output. + bytes stderr = 2; + // Exit code the command finished with. Default: 0 (success). + int32 exit_code = 3; } message ExecRequest { - // ID of the container in which to execute the command. - string container_id = 1; - // Command to execute. - repeated string cmd = 2; - // Whether to exec the command in a TTY. - bool tty = 3; - // Whether to stream stdin. - // One of `stdin`, `stdout`, and `stderr` MUST be true. - bool stdin = 4; - // Whether to stream stdout. - // One of `stdin`, `stdout`, and `stderr` MUST be true. - bool stdout = 5; - // Whether to stream stderr. - // One of `stdin`, `stdout`, and `stderr` MUST be true. - // If `tty` is true, `stderr` MUST be false. Multiplexing is not supported - // in this case. The output of stdout and stderr will be combined to a - // single stream. - bool stderr = 6; + // ID of the container in which to execute the command. + string container_id = 1; + // Command to execute. + repeated string cmd = 2; + // Whether to exec the command in a TTY. + bool tty = 3; + // Whether to stream stdin. + // One of `stdin`, `stdout`, and `stderr` MUST be true. + bool stdin = 4; + // Whether to stream stdout. + // One of `stdin`, `stdout`, and `stderr` MUST be true. + bool stdout = 5; + // Whether to stream stderr. + // One of `stdin`, `stdout`, and `stderr` MUST be true. + // If `tty` is true, `stderr` MUST be false. Multiplexing is not supported + // in this case. The output of stdout and stderr will be combined to a + // single stream. + bool stderr = 6; } message ExecResponse { - // Fully qualified URL of the exec streaming server. - string url = 1; + // Fully qualified URL of the exec streaming server. + string url = 1; } message AttachRequest { - // ID of the container to which to attach. - string container_id = 1; - // Whether to stream stdin. - // One of `stdin`, `stdout`, and `stderr` MUST be true. - bool stdin = 2; - // Whether the process being attached is running in a TTY. - // This must match the TTY setting in the ContainerConfig. - bool tty = 3; - // Whether to stream stdout. - // One of `stdin`, `stdout`, and `stderr` MUST be true. - bool stdout = 4; - // Whether to stream stderr. - // One of `stdin`, `stdout`, and `stderr` MUST be true. - // If `tty` is true, `stderr` MUST be false. Multiplexing is not supported - // in this case. The output of stdout and stderr will be combined to a - // single stream. - bool stderr = 5; + // ID of the container to which to attach. + string container_id = 1; + // Whether to stream stdin. + // One of `stdin`, `stdout`, and `stderr` MUST be true. + bool stdin = 2; + // Whether the process being attached is running in a TTY. + // This must match the TTY setting in the ContainerConfig. + bool tty = 3; + // Whether to stream stdout. + // One of `stdin`, `stdout`, and `stderr` MUST be true. + bool stdout = 4; + // Whether to stream stderr. + // One of `stdin`, `stdout`, and `stderr` MUST be true. + // If `tty` is true, `stderr` MUST be false. Multiplexing is not supported + // in this case. The output of stdout and stderr will be combined to a + // single stream. + bool stderr = 5; } message AttachResponse { - // Fully qualified URL of the attach streaming server. - string url = 1; + // Fully qualified URL of the attach streaming server. + string url = 1; } message PortForwardRequest { - // ID of the container to which to forward the port. - string pod_sandbox_id = 1; - // Port to forward. - repeated int32 port = 2; + // ID of the container to which to forward the port. + string pod_sandbox_id = 1; + // Port to forward. + repeated int32 port = 2; } message PortForwardResponse { - // Fully qualified URL of the port-forward streaming server. - string url = 1; + // Fully qualified URL of the port-forward streaming server. + string url = 1; } message ImageFilter { - // Spec of the image. - ImageSpec image = 1; + // Spec of the image. + ImageSpec image = 1; } message ListImagesRequest { - // Filter to list images. - ImageFilter filter = 1; + // Filter to list images. + ImageFilter filter = 1; } // Basic information about a container image. message Image { - // ID of the image. - string id = 1; - // Other names by which this image is known. - repeated string repo_tags = 2; - // Digests by which this image is known. - repeated string repo_digests = 3; - // Size of the image in bytes. Must be > 0. - uint64 size = 4; - // UID that will run the command(s). This is used as a default if no user is - // specified when creating the container. UID and the following user name - // are mutually exclusive. - Int64Value uid = 5; - // User name that will run the command(s). This is used if UID is not set - // and no user is specified when creating container. - string username = 6; - // ImageSpec for image which includes annotations - ImageSpec spec = 7; - // Recommendation on whether this image should be exempt from garbage collection. - // It must only be treated as a recommendation -- the client can still request that the image be deleted, - // and the runtime must oblige. - bool pinned = 8; + // ID of the image. + string id = 1; + // Other names by which this image is known. + repeated string repo_tags = 2; + // Digests by which this image is known. + repeated string repo_digests = 3; + // Size of the image in bytes. Must be > 0. + uint64 size = 4; + // UID that will run the command(s). This is used as a default if no user is + // specified when creating the container. UID and the following user name + // are mutually exclusive. + Int64Value uid = 5; + // User name that will run the command(s). This is used if UID is not set + // and no user is specified when creating container. + string username = 6; + // ImageSpec for image which includes annotations + ImageSpec spec = 7; + // Recommendation on whether this image should be exempt from garbage collection. + // It must only be treated as a recommendation -- the client can still request that the image be deleted, + // and the runtime must oblige. + bool pinned = 8; } message ListImagesResponse { - // List of images. - repeated Image images = 1; + // List of images. + repeated Image images = 1; } message ImageStatusRequest { - // Spec of the image. - ImageSpec image = 1; - // Verbose indicates whether to return extra information about the image. - bool verbose = 2; + // Spec of the image. + ImageSpec image = 1; + // Verbose indicates whether to return extra information about the image. + bool verbose = 2; } message ImageStatusResponse { - // Status of the image. - Image image = 1; - // Info is extra information of the Image. The key could be arbitrary string, and - // value should be in json format. The information could include anything useful - // for debug, e.g. image config for oci image based container runtime. - // It should only be returned non-empty when Verbose is true. - map info = 2; + // Status of the image. + Image image = 1; + // Info is extra information of the Image. The key could be arbitrary string, and + // value should be in json format. The information could include anything useful + // for debug, e.g. image config for oci image based container runtime. + // It should only be returned non-empty when Verbose is true. + map info = 2; } // AuthConfig contains authorization information for connecting to a registry. message AuthConfig { - string username = 1; - string password = 2; - string auth = 3; - string server_address = 4; - // IdentityToken is used to authenticate the user and get - // an access token for the registry. - string identity_token = 5; - // RegistryToken is a bearer token to be sent to a registry - string registry_token = 6; + string username = 1; + string password = 2; + string auth = 3; + string server_address = 4; + // IdentityToken is used to authenticate the user and get + // an access token for the registry. + string identity_token = 5; + // RegistryToken is a bearer token to be sent to a registry + string registry_token = 6; } message PullImageRequest { - // Spec of the image. - ImageSpec image = 1; - // Authentication configuration for pulling the image. - AuthConfig auth = 2; - // Config of the PodSandbox, which is used to pull image in PodSandbox context. - PodSandboxConfig sandbox_config = 3; + // Spec of the image. + ImageSpec image = 1; + // Authentication configuration for pulling the image. + AuthConfig auth = 2; + // Config of the PodSandbox, which is used to pull image in PodSandbox context. + PodSandboxConfig sandbox_config = 3; } message PullImageResponse { - // Reference to the image in use. For most runtimes, this should be an - // image ID or digest. - string image_ref = 1; + // Reference to the image in use. For most runtimes, this should be an + // image ID or digest. + string image_ref = 1; } message RemoveImageRequest { - // Spec of the image to remove. - ImageSpec image = 1; + // Spec of the image to remove. + ImageSpec image = 1; } message RemoveImageResponse {} message NetworkConfig { - // CIDR to use for pod IP addresses. If the CIDR is empty, runtimes - // should omit it. - string pod_cidr = 1; + // CIDR to use for pod IP addresses. If the CIDR is empty, runtimes + // should omit it. + string pod_cidr = 1; } message RuntimeConfig { - NetworkConfig network_config = 1; + NetworkConfig network_config = 1; } message UpdateRuntimeConfigRequest { - RuntimeConfig runtime_config = 1; + RuntimeConfig runtime_config = 1; } message UpdateRuntimeConfigResponse {} @@ -1382,164 +1382,164 @@ message UpdateRuntimeConfigResponse {} // not required are optional. These conditions will be exposed to users to help // them understand the status of the system. message RuntimeCondition { - // Type of runtime condition. - string type = 1; - // Status of the condition, one of true/false. Default: false. - bool status = 2; - // Brief CamelCase string containing reason for the condition's last transition. - string reason = 3; - // Human-readable message indicating details about last transition. - string message = 4; + // Type of runtime condition. + string type = 1; + // Status of the condition, one of true/false. Default: false. + bool status = 2; + // Brief CamelCase string containing reason for the condition's last transition. + string reason = 3; + // Human-readable message indicating details about last transition. + string message = 4; } // RuntimeStatus is information about the current status of the runtime. message RuntimeStatus { - // List of current observed runtime conditions. - repeated RuntimeCondition conditions = 1; + // List of current observed runtime conditions. + repeated RuntimeCondition conditions = 1; } message StatusRequest { - // Verbose indicates whether to return extra information about the runtime. - bool verbose = 1; + // Verbose indicates whether to return extra information about the runtime. + bool verbose = 1; } message StatusResponse { - // Status of the Runtime. - RuntimeStatus status = 1; - // Info is extra information of the Runtime. The key could be arbitrary string, and - // value should be in json format. The information could include anything useful for - // debug, e.g. plugins used by the container runtime. - // It should only be returned non-empty when Verbose is true. - map info = 2; + // Status of the Runtime. + RuntimeStatus status = 1; + // Info is extra information of the Runtime. The key could be arbitrary string, and + // value should be in json format. The information could include anything useful for + // debug, e.g. plugins used by the container runtime. + // It should only be returned non-empty when Verbose is true. + map info = 2; } message ImageFsInfoRequest {} // UInt64Value is the wrapper of uint64. message UInt64Value { - // The value. - uint64 value = 1; + // The value. + uint64 value = 1; } // FilesystemIdentifier uniquely identify the filesystem. message FilesystemIdentifier{ - // Mountpoint of a filesystem. - string mountpoint = 1; + // Mountpoint of a filesystem. + string mountpoint = 1; } // FilesystemUsage provides the filesystem usage information. message FilesystemUsage { - // Timestamp in nanoseconds at which the information were collected. Must be > 0. - int64 timestamp = 1; - // The unique identifier of the filesystem. - FilesystemIdentifier fs_id = 2; - // UsedBytes represents the bytes used for images on the filesystem. - // This may differ from the total bytes used on the filesystem and may not - // equal CapacityBytes - AvailableBytes. - UInt64Value used_bytes = 3; - // InodesUsed represents the inodes used by the images. - // This may not equal InodesCapacity - InodesAvailable because the underlying - // filesystem may also be used for purposes other than storing images. - UInt64Value inodes_used = 4; + // Timestamp in nanoseconds at which the information were collected. Must be > 0. + int64 timestamp = 1; + // The unique identifier of the filesystem. + FilesystemIdentifier fs_id = 2; + // UsedBytes represents the bytes used for images on the filesystem. + // This may differ from the total bytes used on the filesystem and may not + // equal CapacityBytes - AvailableBytes. + UInt64Value used_bytes = 3; + // InodesUsed represents the inodes used by the images. + // This may not equal InodesCapacity - InodesAvailable because the underlying + // filesystem may also be used for purposes other than storing images. + UInt64Value inodes_used = 4; } message ImageFsInfoResponse { - // Information of image filesystem(s). - repeated FilesystemUsage image_filesystems = 1; + // Information of image filesystem(s). + repeated FilesystemUsage image_filesystems = 1; } message ContainerStatsRequest{ - // ID of the container for which to retrieve stats. - string container_id = 1; + // ID of the container for which to retrieve stats. + string container_id = 1; } message ContainerStatsResponse { - // Stats of the container. - ContainerStats stats = 1; + // Stats of the container. + ContainerStats stats = 1; } message ListContainerStatsRequest{ - // Filter for the list request. - ContainerStatsFilter filter = 1; + // Filter for the list request. + ContainerStatsFilter filter = 1; } // ContainerStatsFilter is used to filter containers. // All those fields are combined with 'AND' message ContainerStatsFilter { - // ID of the container. - string id = 1; - // ID of the PodSandbox. - string pod_sandbox_id = 2; - // LabelSelector to select matches. - // Only api.MatchLabels is supported for now and the requirements - // are ANDed. MatchExpressions is not supported yet. - map label_selector = 3; + // ID of the container. + string id = 1; + // ID of the PodSandbox. + string pod_sandbox_id = 2; + // LabelSelector to select matches. + // Only api.MatchLabels is supported for now and the requirements + // are ANDed. MatchExpressions is not supported yet. + map label_selector = 3; } message ListContainerStatsResponse { - // Stats of the container. - repeated ContainerStats stats = 1; + // Stats of the container. + repeated ContainerStats stats = 1; } // ContainerAttributes provides basic information of the container. message ContainerAttributes { - // ID of the container. - string id = 1; - // Metadata of the container. - ContainerMetadata metadata = 2; - // Key-value pairs that may be used to scope and select individual resources. - map labels = 3; - // Unstructured key-value map holding arbitrary metadata. - // Annotations MUST NOT be altered by the runtime; the value of this field - // MUST be identical to that of the corresponding ContainerConfig used to - // instantiate the Container this status represents. - map annotations = 4; + // ID of the container. + string id = 1; + // Metadata of the container. + ContainerMetadata metadata = 2; + // Key-value pairs that may be used to scope and select individual resources. + map labels = 3; + // Unstructured key-value map holding arbitrary metadata. + // Annotations MUST NOT be altered by the runtime; the value of this field + // MUST be identical to that of the corresponding ContainerConfig used to + // instantiate the Container this status represents. + map annotations = 4; } // ContainerStats provides the resource usage statistics for a container. message ContainerStats { - // Information of the container. - ContainerAttributes attributes = 1; - // CPU usage gathered from the container. - CpuUsage cpu = 2; - // Memory usage gathered from the container. - MemoryUsage memory = 3; - // Usage of the writable layer. - FilesystemUsage writable_layer = 4; + // Information of the container. + ContainerAttributes attributes = 1; + // CPU usage gathered from the container. + CpuUsage cpu = 2; + // Memory usage gathered from the container. + MemoryUsage memory = 3; + // Usage of the writable layer. + FilesystemUsage writable_layer = 4; } // CpuUsage provides the CPU usage information. message CpuUsage { - // Timestamp in nanoseconds at which the information were collected. Must be > 0. - int64 timestamp = 1; - // Cumulative CPU usage (sum across all cores) since object creation. - UInt64Value usage_core_nano_seconds = 2; - // Total CPU usage (sum of all cores) averaged over the sample window. - // The "core" unit can be interpreted as CPU core-nanoseconds per second. - UInt64Value usage_nano_cores = 3; + // Timestamp in nanoseconds at which the information were collected. Must be > 0. + int64 timestamp = 1; + // Cumulative CPU usage (sum across all cores) since object creation. + UInt64Value usage_core_nano_seconds = 2; + // Total CPU usage (sum of all cores) averaged over the sample window. + // The "core" unit can be interpreted as CPU core-nanoseconds per second. + UInt64Value usage_nano_cores = 3; } // MemoryUsage provides the memory usage information. message MemoryUsage { - // Timestamp in nanoseconds at which the information were collected. Must be > 0. - int64 timestamp = 1; - // The amount of working set memory in bytes. - UInt64Value working_set_bytes = 2; - // Available memory for use. This is defined as the memory limit - workingSetBytes. - UInt64Value available_bytes = 3; - // Total memory in use. This includes all memory regardless of when it was accessed. - UInt64Value usage_bytes = 4; - // The amount of anonymous and swap cache memory (includes transparent hugepages). - UInt64Value rss_bytes = 5; - // Cumulative number of minor page faults. - UInt64Value page_faults = 6; - // Cumulative number of major page faults. - UInt64Value major_page_faults = 7; + // Timestamp in nanoseconds at which the information were collected. Must be > 0. + int64 timestamp = 1; + // The amount of working set memory in bytes. + UInt64Value working_set_bytes = 2; + // Available memory for use. This is defined as the memory limit - workingSetBytes. + UInt64Value available_bytes = 3; + // Total memory in use. This includes all memory regardless of when it was accessed. + UInt64Value usage_bytes = 4; + // The amount of anonymous and swap cache memory (includes transparent hugepages). + UInt64Value rss_bytes = 5; + // Cumulative number of minor page faults. + UInt64Value page_faults = 6; + // Cumulative number of major page faults. + UInt64Value major_page_faults = 7; } message ReopenContainerLogRequest { - // ID of the container for which to reopen the log. - string container_id = 1; + // ID of the container for which to reopen the log. + string container_id = 1; } message ReopenContainerLogResponse{