package v1beta1 import "cue.dev/x/k8s.io/apimachinery/pkg/apis/meta/v1" // ClusterTrustBundle is a cluster-scoped container for X.509 // trust anchors (root certificates). // // ClusterTrustBundle objects are considered to be readable by any // authenticated user in the cluster, because they can be mounted // by pods using the `clusterTrustBundle` projection. All service // accounts have read access to ClusterTrustBundles by default. // Users who only have namespace-level access to a cluster can // read ClusterTrustBundles by impersonating a serviceaccount // that they have access to. // // It can be optionally associated with a particular assigner, in // which case it contains one valid set of trust anchors for that // signer. Signers may have multiple associated // ClusterTrustBundles; each is an independent set of trust // anchors for that signer. Admission control is used to enforce // that only users with permissions on the signer can create or // modify the corresponding bundle. #ClusterTrustBundle: { // APIVersion defines the versioned schema of this representation // of an object. Servers should convert recognized schemas to the // latest internal value, and may reject unrecognized values. // More info: // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources "apiVersion": "certificates.k8s.io/v1beta1" // Kind is a string value representing the REST resource this // object represents. Servers may infer this from the endpoint // the client submits requests to. Cannot be updated. In // CamelCase. More info: // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds "kind": "ClusterTrustBundle" // metadata contains the object metadata. "metadata"?: v1.#ObjectMeta // spec contains the signer (if any) and trust anchors. "spec"!: #ClusterTrustBundleSpec } // ClusterTrustBundleList is a collection of ClusterTrustBundle // objects #ClusterTrustBundleList: { // APIVersion defines the versioned schema of this representation // of an object. Servers should convert recognized schemas to the // latest internal value, and may reject unrecognized values. // More info: // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources "apiVersion": "certificates.k8s.io/v1beta1" // items is a collection of ClusterTrustBundle objects "items"!: [...#ClusterTrustBundle] // Kind is a string value representing the REST resource this // object represents. Servers may infer this from the endpoint // the client submits requests to. Cannot be updated. In // CamelCase. More info: // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds "kind": "ClusterTrustBundleList" // metadata contains the list metadata. "metadata"?: v1.#ListMeta } // ClusterTrustBundleSpec contains the signer and trust anchors. #ClusterTrustBundleSpec: { // signerName indicates the associated signer, if any. // // In order to create or update a ClusterTrustBundle that sets // signerName, you must have the following cluster-scoped // permission: group=certificates.k8s.io resource=signers // resourceName= verb=attest. // // If signerName is not empty, then the ClusterTrustBundle object // must be named with the signer name as a prefix (translating // slashes to colons). For example, for the signer name // `example.com/foo`, valid ClusterTrustBundle object names // include `example.com:foo:abc` and `example.com:foo:v1`. // // If signerName is empty, then the ClusterTrustBundle object's // name must not have such a prefix. // // List/watch requests for ClusterTrustBundles can filter on this // field using a `spec.signerName=NAME` field selector. "signerName"?: string // trustBundle contains the individual X.509 trust anchors for // this bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 // certificates. // // The data must consist only of PEM certificate blocks that parse // as valid X.509 certificates. Each certificate must include a // basic constraints extension with the CA bit set. The API // server will reject objects that contain duplicate // certificates, or that use PEM block headers. // // Users of ClusterTrustBundles, including Kubelet, are free to // reorder and deduplicate certificate blocks in this file // according to their own logic, as well as to drop PEM block // headers and inter-block data. "trustBundle"!: string } // PodCertificateRequest encodes a pod requesting a certificate // from a given signer. // // Kubelets use this API to implement podCertificate projected // volumes #PodCertificateRequest: { // APIVersion defines the versioned schema of this representation // of an object. Servers should convert recognized schemas to the // latest internal value, and may reject unrecognized values. // More info: // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources "apiVersion": "certificates.k8s.io/v1beta1" // Kind is a string value representing the REST resource this // object represents. Servers may infer this from the endpoint // the client submits requests to. Cannot be updated. In // CamelCase. More info: // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds "kind": "PodCertificateRequest" // metadata contains the object metadata. "metadata"?: v1.#ObjectMeta // spec contains the details about the certificate being // requested. "spec"!: #PodCertificateRequestSpec // status contains the issued certificate, and a standard set of // conditions. "status"?: #PodCertificateRequestStatus } // PodCertificateRequestList is a collection of // PodCertificateRequest objects #PodCertificateRequestList: { // APIVersion defines the versioned schema of this representation // of an object. Servers should convert recognized schemas to the // latest internal value, and may reject unrecognized values. // More info: // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources "apiVersion": "certificates.k8s.io/v1beta1" // items is a collection of PodCertificateRequest objects "items"!: [...#PodCertificateRequest] // Kind is a string value representing the REST resource this // object represents. Servers may infer this from the endpoint // the client submits requests to. Cannot be updated. In // CamelCase. More info: // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds "kind": "PodCertificateRequestList" // metadata contains the list metadata. "metadata"?: v1.#ListMeta } // PodCertificateRequestSpec describes the certificate request. // All fields are immutable after creation. #PodCertificateRequestSpec: { // maxExpirationSeconds is the maximum lifetime permitted for the // certificate. // // If omitted, kube-apiserver will set it to 86400(24 hours). // kube-apiserver will reject values shorter than 3600 (1 hour). // The maximum allowable value is 7862400 (91 days). // // The signer implementation is then free to issue a certificate // with any lifetime *shorter* than MaxExpirationSeconds, but no // shorter than 3600 seconds (1 hour). This constraint is // enforced by kube-apiserver. `kubernetes.io` signers will never // issue certificates with a lifetime longer than 24 hours. "maxExpirationSeconds"?: int32 & int // nodeName is the name of the node the pod is assigned to. "nodeName"!: string // nodeUID is the UID of the node the pod is assigned to. "nodeUID"!: string // pkixPublicKey is the PKIX-serialized public key the signer will // issue the certificate to. // // The key must be one of RSA3072, RSA4096, ECDSAP256, ECDSAP384, // ECDSAP521, or ED25519. Note that this list may be expanded in // the future. // // Signer implementations do not need to support all key types // supported by kube-apiserver and kubelet. If a signer does not // support the key type used for a given PodCertificateRequest, // it must deny the request by setting a status.conditions entry // with a type of "Denied" and a reason of "UnsupportedKeyType". // It may also suggest a key type that it does support in the // message field. "pkixPublicKey"!: string // podName is the name of the pod into which the certificate will // be mounted. "podName"!: string // podUID is the UID of the pod into which the certificate will be // mounted. "podUID"!: string // proofOfPossession proves that the requesting kubelet holds the // private key corresponding to pkixPublicKey. // // It is contructed by signing the ASCII bytes of the pod's UID // using `pkixPublicKey`. // // kube-apiserver validates the proof of possession during // creation of the PodCertificateRequest. // // If the key is an RSA key, then the signature is over the ASCII // bytes of the pod UID, using RSASSA-PSS from RFC 8017 (as // implemented by the golang function crypto/rsa.SignPSS with nil // options). // // If the key is an ECDSA key, then the signature is as described // by [SEC 1, Version 2.0](https://www.secg.org/sec1-v2.pdf) (as // implemented by the golang library function // crypto/ecdsa.SignASN1) // // If the key is an ED25519 key, the the signature is as described // by the [ED25519 Specification](https://ed25519.cr.yp.to/) (as // implemented by the golang library crypto/ed25519.Sign). "proofOfPossession"!: string // serviceAccountName is the name of the service account the pod // is running as. "serviceAccountName"!: string // serviceAccountUID is the UID of the service account the pod is // running as. "serviceAccountUID"!: string // signerName indicates the requested signer. // // All signer names beginning with `kubernetes.io` are reserved // for use by the Kubernetes project. There is currently one // well-known signer documented by the Kubernetes project, // `kubernetes.io/kube-apiserver-client-pod`, which will issue // client certificates understood by kube-apiserver. It is // currently unimplemented. "signerName"!: string // unverifiedUserAnnotations allow pod authors to pass additional // information to the signer implementation. Kubernetes does not // restrict or validate this metadata in any way. // // Entries are subject to the same validation as object metadata // annotations, with the addition that all keys must be // domain-prefixed. No restrictions are placed on values, except // an overall size limitation on the entire field. // // Signers should document the keys and values they support. // Signers should deny requests that contain keys they do not // recognize. "unverifiedUserAnnotations"?: { [string]: string } } // PodCertificateRequestStatus describes the status of the // request, and holds the certificate data if the request is // issued. #PodCertificateRequestStatus: { // beginRefreshAt is the time at which the kubelet should begin // trying to refresh the certificate. This field is set via the // /status subresource, and must be set at the same time as // certificateChain. Once populated, this field is immutable. // // This field is only a hint. Kubelet may start refreshing before // or after this time if necessary. "beginRefreshAt"?: v1.#Time // certificateChain is populated with an issued certificate by the // signer. This field is set via the /status subresource. Once // populated, this field is immutable. // // If the certificate signing request is denied, a condition of // type "Denied" is added and this field remains empty. If the // signer cannot issue the certificate, a condition of type // "Failed" is added and this field remains empty. // // Validation requirements: // 1. certificateChain must consist of one or more PEM-formatted // certificates. // 2. Each entry must be a valid PEM-wrapped, DER-encoded ASN.1 // Certificate as // described in section 4 of RFC5280. // // If more than one block is present, and the definition of the // requested spec.signerName does not indicate otherwise, the // first block is the issued certificate, and subsequent blocks // should be treated as intermediate certificates and presented // in TLS handshakes. When projecting the chain into a pod // volume, kubelet will drop any data in-between the PEM blocks, // as well as any PEM block headers. "certificateChain"?: string // conditions applied to the request. // // The types "Issued", "Denied", and "Failed" have special // handling. At most one of these conditions may be present, and // they must have status "True". // // If the request is denied with `Reason=UnsupportedKeyType`, the // signer may suggest a key type that will work in the message // field. "conditions"?: [...v1.#Condition] // notAfter is the time at which the certificate expires. The // value must be the same as the notAfter value in the leaf // certificate in certificateChain. This field is set via the // /status subresource. Once populated, it is immutable. The // signer must set this field at the same time it sets // certificateChain. "notAfter"?: v1.#Time // notBefore is the time at which the certificate becomes valid. // The value must be the same as the notBefore value in the leaf // certificate in certificateChain. This field is set via the // /status subresource. Once populated, it is immutable. The // signer must set this field at the same time it sets // certificateChain. "notBefore"?: v1.#Time }