1package v1beta1
  2
  3import "cue.dev/x/k8s.io/apimachinery/pkg/apis/meta/v1"
  4
  5// ClusterTrustBundle is a cluster-scoped container for X.509
  6// trust anchors (root certificates).
  7//
  8// ClusterTrustBundle objects are considered to be readable by any
  9// authenticated user in the cluster, because they can be mounted
 10// by pods using the `clusterTrustBundle` projection. All service
 11// accounts have read access to ClusterTrustBundles by default.
 12// Users who only have namespace-level access to a cluster can
 13// read ClusterTrustBundles by impersonating a serviceaccount
 14// that they have access to.
 15//
 16// It can be optionally associated with a particular assigner, in
 17// which case it contains one valid set of trust anchors for that
 18// signer. Signers may have multiple associated
 19// ClusterTrustBundles; each is an independent set of trust
 20// anchors for that signer. Admission control is used to enforce
 21// that only users with permissions on the signer can create or
 22// modify the corresponding bundle.
 23#ClusterTrustBundle: {
 24	// APIVersion defines the versioned schema of this representation
 25	// of an object. Servers should convert recognized schemas to the
 26	// latest internal value, and may reject unrecognized values.
 27	// More info:
 28	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 29	"apiVersion": "certificates.k8s.io/v1beta1"
 30
 31	// Kind is a string value representing the REST resource this
 32	// object represents. Servers may infer this from the endpoint
 33	// the client submits requests to. Cannot be updated. In
 34	// CamelCase. More info:
 35	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 36	"kind": "ClusterTrustBundle"
 37
 38	// metadata contains the object metadata.
 39	"metadata"?: v1.#ObjectMeta
 40
 41	// spec contains the signer (if any) and trust anchors.
 42	"spec"!: #ClusterTrustBundleSpec
 43}
 44
 45// ClusterTrustBundleList is a collection of ClusterTrustBundle
 46// objects
 47#ClusterTrustBundleList: {
 48	// APIVersion defines the versioned schema of this representation
 49	// of an object. Servers should convert recognized schemas to the
 50	// latest internal value, and may reject unrecognized values.
 51	// More info:
 52	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 53	"apiVersion": "certificates.k8s.io/v1beta1"
 54
 55	// items is a collection of ClusterTrustBundle objects
 56	"items"!: [...#ClusterTrustBundle]
 57
 58	// Kind is a string value representing the REST resource this
 59	// object represents. Servers may infer this from the endpoint
 60	// the client submits requests to. Cannot be updated. In
 61	// CamelCase. More info:
 62	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 63	"kind": "ClusterTrustBundleList"
 64
 65	// metadata contains the list metadata.
 66	"metadata"?: v1.#ListMeta
 67}
 68
 69// ClusterTrustBundleSpec contains the signer and trust anchors.
 70#ClusterTrustBundleSpec: {
 71	// signerName indicates the associated signer, if any.
 72	//
 73	// In order to create or update a ClusterTrustBundle that sets
 74	// signerName, you must have the following cluster-scoped
 75	// permission: group=certificates.k8s.io resource=signers
 76	// resourceName=<the signer name> verb=attest.
 77	//
 78	// If signerName is not empty, then the ClusterTrustBundle object
 79	// must be named with the signer name as a prefix (translating
 80	// slashes to colons). For example, for the signer name
 81	// `example.com/foo`, valid ClusterTrustBundle object names
 82	// include `example.com:foo:abc` and `example.com:foo:v1`.
 83	//
 84	// If signerName is empty, then the ClusterTrustBundle object's
 85	// name must not have such a prefix.
 86	//
 87	// List/watch requests for ClusterTrustBundles can filter on this
 88	// field using a `spec.signerName=NAME` field selector.
 89	"signerName"?: string
 90
 91	// trustBundle contains the individual X.509 trust anchors for
 92	// this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509
 93	// certificates.
 94	//
 95	// The data must consist only of PEM certificate blocks that parse
 96	// as valid X.509 certificates. Each certificate must include a
 97	// basic constraints extension with the CA bit set. The API
 98	// server will reject objects that contain duplicate
 99	// certificates, or that use PEM block headers.
100	//
101	// Users of ClusterTrustBundles, including Kubelet, are free to
102	// reorder and deduplicate certificate blocks in this file
103	// according to their own logic, as well as to drop PEM block
104	// headers and inter-block data.
105	"trustBundle"!: string
106}
107
108// PodCertificateRequest encodes a pod requesting a certificate
109// from a given signer.
110//
111// Kubelets use this API to implement podCertificate projected
112// volumes
113#PodCertificateRequest: {
114	// APIVersion defines the versioned schema of this representation
115	// of an object. Servers should convert recognized schemas to the
116	// latest internal value, and may reject unrecognized values.
117	// More info:
118	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
119	"apiVersion": "certificates.k8s.io/v1beta1"
120
121	// Kind is a string value representing the REST resource this
122	// object represents. Servers may infer this from the endpoint
123	// the client submits requests to. Cannot be updated. In
124	// CamelCase. More info:
125	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
126	"kind": "PodCertificateRequest"
127
128	// metadata contains the object metadata.
129	"metadata"?: v1.#ObjectMeta
130
131	// spec contains the details about the certificate being
132	// requested.
133	"spec"!: #PodCertificateRequestSpec
134
135	// status contains the issued certificate, and a standard set of
136	// conditions.
137	"status"?: #PodCertificateRequestStatus
138}
139
140// PodCertificateRequestList is a collection of
141// PodCertificateRequest objects
142#PodCertificateRequestList: {
143	// APIVersion defines the versioned schema of this representation
144	// of an object. Servers should convert recognized schemas to the
145	// latest internal value, and may reject unrecognized values.
146	// More info:
147	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
148	"apiVersion": "certificates.k8s.io/v1beta1"
149
150	// items is a collection of PodCertificateRequest objects
151	"items"!: [...#PodCertificateRequest]
152
153	// Kind is a string value representing the REST resource this
154	// object represents. Servers may infer this from the endpoint
155	// the client submits requests to. Cannot be updated. In
156	// CamelCase. More info:
157	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
158	"kind": "PodCertificateRequestList"
159
160	// metadata contains the list metadata.
161	"metadata"?: v1.#ListMeta
162}
163
164// PodCertificateRequestSpec describes the certificate request.
165// All fields are immutable after creation.
166#PodCertificateRequestSpec: {
167	// maxExpirationSeconds is the maximum lifetime permitted for the
168	// certificate.
169	//
170	// If omitted, kube-apiserver will set it to 86400(24 hours).
171	// kube-apiserver will reject values shorter than 3600 (1 hour).
172	// The maximum allowable value is 7862400 (91 days).
173	//
174	// The signer implementation is then free to issue a certificate
175	// with any lifetime *shorter* than MaxExpirationSeconds, but no
176	// shorter than 3600 seconds (1 hour). This constraint is
177	// enforced by kube-apiserver. `kubernetes.io` signers will never
178	// issue certificates with a lifetime longer than 24 hours.
179	"maxExpirationSeconds"?: int32 & int
180
181	// nodeName is the name of the node the pod is assigned to.
182	"nodeName"!: string
183
184	// nodeUID is the UID of the node the pod is assigned to.
185	"nodeUID"!: string
186
187	// pkixPublicKey is the PKIX-serialized public key the signer will
188	// issue the certificate to.
189	//
190	// The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384,
191	// ECDSAP521, or ED25519. Note that this list may be expanded in
192	// the future.
193	//
194	// Signer implementations do not need to support all key types
195	// supported by kube-apiserver and kubelet. If a signer does not
196	// support the key type used for a given PodCertificateRequest,
197	// it must deny the request by setting a status.conditions entry
198	// with a type of "Denied" and a reason of "UnsupportedKeyType".
199	// It may also suggest a key type that it does support in the
200	// message field.
201	"pkixPublicKey"!: string
202
203	// podName is the name of the pod into which the certificate will
204	// be mounted.
205	"podName"!: string
206
207	// podUID is the UID of the pod into which the certificate will be
208	// mounted.
209	"podUID"!: string
210
211	// proofOfPossession proves that the requesting kubelet holds the
212	// private key corresponding to pkixPublicKey.
213	//
214	// It is contructed by signing the ASCII bytes of the pod's UID
215	// using `pkixPublicKey`.
216	//
217	// kube-apiserver validates the proof of possession during
218	// creation of the PodCertificateRequest.
219	//
220	// If the key is an RSA key, then the signature is over the ASCII
221	// bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as
222	// implemented by the golang function crypto/rsa.SignPSS with nil
223	// options).
224	//
225	// If the key is an ECDSA key, then the signature is as described
226	// by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as
227	// implemented by the golang library function
228	// crypto/ecdsa.SignASN1)
229	//
230	// If the key is an ED25519 key, the the signature is as described
231	// by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as
232	// implemented by the golang library crypto/ed25519.Sign).
233	"proofOfPossession"!: string
234
235	// serviceAccountName is the name of the service account the pod
236	// is running as.
237	"serviceAccountName"!: string
238
239	// serviceAccountUID is the UID of the service account the pod is
240	// running as.
241	"serviceAccountUID"!: string
242
243	// signerName indicates the requested signer.
244	//
245	// All signer names beginning with `kubernetes.io` are reserved
246	// for use by the Kubernetes project. There is currently one
247	// well-known signer documented by the Kubernetes project,
248	// `kubernetes.io/kube-apiserver-client-pod`, which will issue
249	// client certificates understood by kube-apiserver. It is
250	// currently unimplemented.
251	"signerName"!: string
252
253	// unverifiedUserAnnotations allow pod authors to pass additional
254	// information to the signer implementation. Kubernetes does not
255	// restrict or validate this metadata in any way.
256	//
257	// Entries are subject to the same validation as object metadata
258	// annotations, with the addition that all keys must be
259	// domain-prefixed. No restrictions are placed on values, except
260	// an overall size limitation on the entire field.
261	//
262	// Signers should document the keys and values they support.
263	// Signers should deny requests that contain keys they do not
264	// recognize.
265	"unverifiedUserAnnotations"?: {
266		[string]: string
267	}
268}
269
270// PodCertificateRequestStatus describes the status of the
271// request, and holds the certificate data if the request is
272// issued.
273#PodCertificateRequestStatus: {
274	// beginRefreshAt is the time at which the kubelet should begin
275	// trying to refresh the certificate. This field is set via the
276	// /status subresource, and must be set at the same time as
277	// certificateChain. Once populated, this field is immutable.
278	//
279	// This field is only a hint. Kubelet may start refreshing before
280	// or after this time if necessary.
281	"beginRefreshAt"?: v1.#Time
282
283	// certificateChain is populated with an issued certificate by the
284	// signer. This field is set via the /status subresource. Once
285	// populated, this field is immutable.
286	//
287	// If the certificate signing request is denied, a condition of
288	// type "Denied" is added and this field remains empty. If the
289	// signer cannot issue the certificate, a condition of type
290	// "Failed" is added and this field remains empty.
291	//
292	// Validation requirements:
293	// 1. certificateChain must consist of one or more PEM-formatted
294	// certificates.
295	// 2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1
296	// Certificate as
297	// described in section 4 of RFC5280.
298	//
299	// If more than one block is present, and the definition of the
300	// requested spec.signerName does not indicate otherwise, the
301	// first block is the issued certificate, and subsequent blocks
302	// should be treated as intermediate certificates and presented
303	// in TLS handshakes. When projecting the chain into a pod
304	// volume, kubelet will drop any data in-between the PEM blocks,
305	// as well as any PEM block headers.
306	"certificateChain"?: string
307
308	// conditions applied to the request.
309	//
310	// The types "Issued", "Denied", and "Failed" have special
311	// handling. At most one of these conditions may be present, and
312	// they must have status "True".
313	//
314	// If the request is denied with `Reason=UnsupportedKeyType`, the
315	// signer may suggest a key type that will work in the message
316	// field.
317	"conditions"?: [...v1.#Condition]
318
319	// notAfter is the time at which the certificate expires. The
320	// value must be the same as the notAfter value in the leaf
321	// certificate in certificateChain. This field is set via the
322	// /status subresource. Once populated, it is immutable. The
323	// signer must set this field at the same time it sets
324	// certificateChain.
325	"notAfter"?: v1.#Time
326
327	// notBefore is the time at which the certificate becomes valid.
328	// The value must be the same as the notBefore value in the leaf
329	// certificate in certificateChain. This field is set via the
330	// /status subresource. Once populated, it is immutable. The
331	// signer must set this field at the same time it sets
332	// certificateChain.
333	"notBefore"?: v1.#Time
334}