mirror of
				https://gitea.com/Lydanne/buildx.git
				synced 2025-10-26 21:53:51 +08:00 
			
		
		
		
	
		
			
				
	
	
		
			516 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			Protocol Buffer
		
	
	
	
	
	
			
		
		
	
	
			516 lines
		
	
	
		
			22 KiB
		
	
	
	
		
			Protocol Buffer
		
	
	
	
	
	
| /*
 | |
| Copyright The Kubernetes Authors.
 | |
| 
 | |
| Licensed under the Apache License, Version 2.0 (the "License");
 | |
| you may not use this file except in compliance with the License.
 | |
| You may obtain a copy of the License at
 | |
| 
 | |
|     http://www.apache.org/licenses/LICENSE-2.0
 | |
| 
 | |
| Unless required by applicable law or agreed to in writing, software
 | |
| distributed under the License is distributed on an "AS IS" BASIS,
 | |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| See the License for the specific language governing permissions and
 | |
| limitations under the License.
 | |
| */
 | |
| 
 | |
| 
 | |
| // This file was autogenerated by go-to-protobuf. Do not edit it manually!
 | |
| 
 | |
| syntax = "proto2";
 | |
| 
 | |
| package k8s.io.api.flowcontrol.v1beta3;
 | |
| 
 | |
| import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
 | |
| import "k8s.io/apimachinery/pkg/runtime/generated.proto";
 | |
| import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
 | |
| 
 | |
| // Package-wide variables from generator "generated".
 | |
| option go_package = "k8s.io/api/flowcontrol/v1beta3";
 | |
| 
 | |
| // ExemptPriorityLevelConfiguration describes the configurable aspects
 | |
| // of the handling of exempt requests.
 | |
| // In the mandatory exempt configuration object the values in the fields
 | |
| // here can be modified by authorized users, unlike the rest of the `spec`.
 | |
| message ExemptPriorityLevelConfiguration {
 | |
|   // `nominalConcurrencyShares` (NCS) contributes to the computation of the
 | |
|   // NominalConcurrencyLimit (NominalCL) of this level.
 | |
|   // This is the number of execution seats nominally reserved for this priority level.
 | |
|   // This DOES NOT limit the dispatching from this priority level
 | |
|   // but affects the other priority levels through the borrowing mechanism.
 | |
|   // The server's concurrency limit (ServerCL) is divided among all the
 | |
|   // priority levels in proportion to their NCS values:
 | |
|   //
 | |
|   // NominalCL(i)  = ceil( ServerCL * NCS(i) / sum_ncs )
 | |
|   // sum_ncs = sum[priority level k] NCS(k)
 | |
|   //
 | |
|   // Bigger numbers mean a larger nominal concurrency limit,
 | |
|   // at the expense of every other priority level.
 | |
|   // This field has a default value of zero.
 | |
|   // +optional
 | |
|   optional int32 nominalConcurrencyShares = 1;
 | |
| 
 | |
|   // `lendablePercent` prescribes the fraction of the level's NominalCL that
 | |
|   // can be borrowed by other priority levels.  This value of this
 | |
|   // field must be between 0 and 100, inclusive, and it defaults to 0.
 | |
|   // The number of seats that other levels can borrow from this level, known
 | |
|   // as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.
 | |
|   //
 | |
|   // LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )
 | |
|   //
 | |
|   // +optional
 | |
|   optional int32 lendablePercent = 2;
 | |
| }
 | |
| 
 | |
| // FlowDistinguisherMethod specifies the method of a flow distinguisher.
 | |
| message FlowDistinguisherMethod {
 | |
|   // `type` is the type of flow distinguisher method
 | |
|   // The supported types are "ByUser" and "ByNamespace".
 | |
|   // Required.
 | |
|   optional string type = 1;
 | |
| }
 | |
| 
 | |
| // FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with
 | |
| // similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".
 | |
| message FlowSchema {
 | |
|   // `metadata` is the standard object's metadata.
 | |
|   // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 | |
|   // +optional
 | |
|   optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
 | |
| 
 | |
|   // `spec` is the specification of the desired behavior of a FlowSchema.
 | |
|   // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 | |
|   // +optional
 | |
|   optional FlowSchemaSpec spec = 2;
 | |
| 
 | |
|   // `status` is the current status of a FlowSchema.
 | |
|   // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 | |
|   // +optional
 | |
|   optional FlowSchemaStatus status = 3;
 | |
| }
 | |
| 
 | |
| // FlowSchemaCondition describes conditions for a FlowSchema.
 | |
| message FlowSchemaCondition {
 | |
|   // `type` is the type of the condition.
 | |
|   // Required.
 | |
|   optional string type = 1;
 | |
| 
 | |
|   // `status` is the status of the condition.
 | |
|   // Can be True, False, Unknown.
 | |
|   // Required.
 | |
|   optional string status = 2;
 | |
| 
 | |
|   // `lastTransitionTime` is the last time the condition transitioned from one status to another.
 | |
|   optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
 | |
| 
 | |
|   // `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
 | |
|   optional string reason = 4;
 | |
| 
 | |
|   // `message` is a human-readable message indicating details about last transition.
 | |
|   optional string message = 5;
 | |
| }
 | |
| 
 | |
| // FlowSchemaList is a list of FlowSchema objects.
 | |
| message FlowSchemaList {
 | |
|   // `metadata` is the standard list metadata.
 | |
|   // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 | |
|   // +optional
 | |
|   optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
 | |
| 
 | |
|   // `items` is a list of FlowSchemas.
 | |
|   repeated FlowSchema items = 2;
 | |
| }
 | |
| 
 | |
| // FlowSchemaSpec describes how the FlowSchema's specification looks like.
 | |
| message FlowSchemaSpec {
 | |
|   // `priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot
 | |
|   // be resolved, the FlowSchema will be ignored and marked as invalid in its status.
 | |
|   // Required.
 | |
|   optional PriorityLevelConfigurationReference priorityLevelConfiguration = 1;
 | |
| 
 | |
|   // `matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen
 | |
|   // FlowSchema is among those with the numerically lowest (which we take to be logically highest)
 | |
|   // MatchingPrecedence.  Each MatchingPrecedence value must be ranged in [1,10000].
 | |
|   // Note that if the precedence is not specified, it will be set to 1000 as default.
 | |
|   // +optional
 | |
|   optional int32 matchingPrecedence = 2;
 | |
| 
 | |
|   // `distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema.
 | |
|   // `nil` specifies that the distinguisher is disabled and thus will always be the empty string.
 | |
|   // +optional
 | |
|   optional FlowDistinguisherMethod distinguisherMethod = 3;
 | |
| 
 | |
|   // `rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if
 | |
|   // at least one member of rules matches the request.
 | |
|   // if it is an empty slice, there will be no requests matching the FlowSchema.
 | |
|   // +listType=atomic
 | |
|   // +optional
 | |
|   repeated PolicyRulesWithSubjects rules = 4;
 | |
| }
 | |
| 
 | |
| // FlowSchemaStatus represents the current state of a FlowSchema.
 | |
| message FlowSchemaStatus {
 | |
|   // `conditions` is a list of the current states of FlowSchema.
 | |
|   // +listType=map
 | |
|   // +listMapKey=type
 | |
|   // +patchMergeKey=type
 | |
|   // +patchStrategy=merge
 | |
|   // +optional
 | |
|   repeated FlowSchemaCondition conditions = 1;
 | |
| }
 | |
| 
 | |
| // GroupSubject holds detailed information for group-kind subject.
 | |
| message GroupSubject {
 | |
|   // name is the user group that matches, or "*" to match all user groups.
 | |
|   // See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some
 | |
|   // well-known group names.
 | |
|   // Required.
 | |
|   optional string name = 1;
 | |
| }
 | |
| 
 | |
| // LimitResponse defines how to handle requests that can not be executed right now.
 | |
| // +union
 | |
| message LimitResponse {
 | |
|   // `type` is "Queue" or "Reject".
 | |
|   // "Queue" means that requests that can not be executed upon arrival
 | |
|   // are held in a queue until they can be executed or a queuing limit
 | |
|   // is reached.
 | |
|   // "Reject" means that requests that can not be executed upon arrival
 | |
|   // are rejected.
 | |
|   // Required.
 | |
|   // +unionDiscriminator
 | |
|   optional string type = 1;
 | |
| 
 | |
|   // `queuing` holds the configuration parameters for queuing.
 | |
|   // This field may be non-empty only if `type` is `"Queue"`.
 | |
|   // +optional
 | |
|   optional QueuingConfiguration queuing = 2;
 | |
| }
 | |
| 
 | |
| // LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits.
 | |
| // It addresses two issues:
 | |
| //   - How are requests for this priority level limited?
 | |
| //   - What should be done with requests that exceed the limit?
 | |
| message LimitedPriorityLevelConfiguration {
 | |
|   // `nominalConcurrencyShares` (NCS) contributes to the computation of the
 | |
|   // NominalConcurrencyLimit (NominalCL) of this level.
 | |
|   // This is the number of execution seats available at this priority level.
 | |
|   // This is used both for requests dispatched from this priority level
 | |
|   // as well as requests dispatched from other priority levels
 | |
|   // borrowing seats from this level.
 | |
|   // The server's concurrency limit (ServerCL) is divided among the
 | |
|   // Limited priority levels in proportion to their NCS values:
 | |
|   //
 | |
|   // NominalCL(i)  = ceil( ServerCL * NCS(i) / sum_ncs )
 | |
|   // sum_ncs = sum[priority level k] NCS(k)
 | |
|   //
 | |
|   // Bigger numbers mean a larger nominal concurrency limit,
 | |
|   // at the expense of every other priority level.
 | |
|   // This field has a default value of 30.
 | |
|   // +optional
 | |
|   optional int32 nominalConcurrencyShares = 1;
 | |
| 
 | |
|   // `limitResponse` indicates what to do with requests that can not be executed right now
 | |
|   optional LimitResponse limitResponse = 2;
 | |
| 
 | |
|   // `lendablePercent` prescribes the fraction of the level's NominalCL that
 | |
|   // can be borrowed by other priority levels. The value of this
 | |
|   // field must be between 0 and 100, inclusive, and it defaults to 0.
 | |
|   // The number of seats that other levels can borrow from this level, known
 | |
|   // as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.
 | |
|   //
 | |
|   // LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )
 | |
|   //
 | |
|   // +optional
 | |
|   optional int32 lendablePercent = 3;
 | |
| 
 | |
|   // `borrowingLimitPercent`, if present, configures a limit on how many
 | |
|   // seats this priority level can borrow from other priority levels.
 | |
|   // The limit is known as this level's BorrowingConcurrencyLimit
 | |
|   // (BorrowingCL) and is a limit on the total number of seats that this
 | |
|   // level may borrow at any one time.
 | |
|   // This field holds the ratio of that limit to the level's nominal
 | |
|   // concurrency limit. When this field is non-nil, it must hold a
 | |
|   // non-negative integer and the limit is calculated as follows.
 | |
|   //
 | |
|   // BorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )
 | |
|   //
 | |
|   // The value of this field can be more than 100, implying that this
 | |
|   // priority level can borrow a number of seats that is greater than
 | |
|   // its own nominal concurrency limit (NominalCL).
 | |
|   // When this field is left `nil`, the limit is effectively infinite.
 | |
|   // +optional
 | |
|   optional int32 borrowingLimitPercent = 4;
 | |
| }
 | |
| 
 | |
| // NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the
 | |
| // target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member
 | |
| // of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.
 | |
| message NonResourcePolicyRule {
 | |
|   // `verbs` is a list of matching verbs and may not be empty.
 | |
|   // "*" matches all verbs. If it is present, it must be the only entry.
 | |
|   // +listType=set
 | |
|   // Required.
 | |
|   repeated string verbs = 1;
 | |
| 
 | |
|   // `nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty.
 | |
|   // For example:
 | |
|   //   - "/healthz" is legal
 | |
|   //   - "/hea*" is illegal
 | |
|   //   - "/hea" is legal but matches nothing
 | |
|   //   - "/hea/*" also matches nothing
 | |
|   //   - "/healthz/*" matches all per-component health checks.
 | |
|   // "*" matches all non-resource urls. if it is present, it must be the only entry.
 | |
|   // +listType=set
 | |
|   // Required.
 | |
|   repeated string nonResourceURLs = 6;
 | |
| }
 | |
| 
 | |
| // PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject
 | |
| // making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches
 | |
| // a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member
 | |
| // of resourceRules or nonResourceRules matches the request.
 | |
| message PolicyRulesWithSubjects {
 | |
|   // subjects is the list of normal user, serviceaccount, or group that this rule cares about.
 | |
|   // There must be at least one member in this slice.
 | |
|   // A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
 | |
|   // +listType=atomic
 | |
|   // Required.
 | |
|   repeated Subject subjects = 1;
 | |
| 
 | |
|   // `resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the
 | |
|   // target resource.
 | |
|   // At least one of `resourceRules` and `nonResourceRules` has to be non-empty.
 | |
|   // +listType=atomic
 | |
|   // +optional
 | |
|   repeated ResourcePolicyRule resourceRules = 2;
 | |
| 
 | |
|   // `nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb
 | |
|   // and the target non-resource URL.
 | |
|   // +listType=atomic
 | |
|   // +optional
 | |
|   repeated NonResourcePolicyRule nonResourceRules = 3;
 | |
| }
 | |
| 
 | |
| // PriorityLevelConfiguration represents the configuration of a priority level.
 | |
| message PriorityLevelConfiguration {
 | |
|   // `metadata` is the standard object's metadata.
 | |
|   // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 | |
|   // +optional
 | |
|   optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
 | |
| 
 | |
|   // `spec` is the specification of the desired behavior of a "request-priority".
 | |
|   // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 | |
|   // +optional
 | |
|   optional PriorityLevelConfigurationSpec spec = 2;
 | |
| 
 | |
|   // `status` is the current status of a "request-priority".
 | |
|   // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 | |
|   // +optional
 | |
|   optional PriorityLevelConfigurationStatus status = 3;
 | |
| }
 | |
| 
 | |
| // PriorityLevelConfigurationCondition defines the condition of priority level.
 | |
| message PriorityLevelConfigurationCondition {
 | |
|   // `type` is the type of the condition.
 | |
|   // Required.
 | |
|   optional string type = 1;
 | |
| 
 | |
|   // `status` is the status of the condition.
 | |
|   // Can be True, False, Unknown.
 | |
|   // Required.
 | |
|   optional string status = 2;
 | |
| 
 | |
|   // `lastTransitionTime` is the last time the condition transitioned from one status to another.
 | |
|   optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
 | |
| 
 | |
|   // `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
 | |
|   optional string reason = 4;
 | |
| 
 | |
|   // `message` is a human-readable message indicating details about last transition.
 | |
|   optional string message = 5;
 | |
| }
 | |
| 
 | |
| // PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.
 | |
| message PriorityLevelConfigurationList {
 | |
|   // `metadata` is the standard object's metadata.
 | |
|   // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 | |
|   // +optional
 | |
|   optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
 | |
| 
 | |
|   // `items` is a list of request-priorities.
 | |
|   repeated PriorityLevelConfiguration items = 2;
 | |
| }
 | |
| 
 | |
| // PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.
 | |
| message PriorityLevelConfigurationReference {
 | |
|   // `name` is the name of the priority level configuration being referenced
 | |
|   // Required.
 | |
|   optional string name = 1;
 | |
| }
 | |
| 
 | |
| // PriorityLevelConfigurationSpec specifies the configuration of a priority level.
 | |
| // +union
 | |
| message PriorityLevelConfigurationSpec {
 | |
|   // `type` indicates whether this priority level is subject to
 | |
|   // limitation on request execution.  A value of `"Exempt"` means
 | |
|   // that requests of this priority level are not subject to a limit
 | |
|   // (and thus are never queued) and do not detract from the
 | |
|   // capacity made available to other priority levels.  A value of
 | |
|   // `"Limited"` means that (a) requests of this priority level
 | |
|   // _are_ subject to limits and (b) some of the server's limited
 | |
|   // capacity is made available exclusively to this priority level.
 | |
|   // Required.
 | |
|   // +unionDiscriminator
 | |
|   optional string type = 1;
 | |
| 
 | |
|   // `limited` specifies how requests are handled for a Limited priority level.
 | |
|   // This field must be non-empty if and only if `type` is `"Limited"`.
 | |
|   // +optional
 | |
|   optional LimitedPriorityLevelConfiguration limited = 2;
 | |
| 
 | |
|   // `exempt` specifies how requests are handled for an exempt priority level.
 | |
|   // This field MUST be empty if `type` is `"Limited"`.
 | |
|   // This field MAY be non-empty if `type` is `"Exempt"`.
 | |
|   // If empty and `type` is `"Exempt"` then the default values
 | |
|   // for `ExemptPriorityLevelConfiguration` apply.
 | |
|   // +optional
 | |
|   optional ExemptPriorityLevelConfiguration exempt = 3;
 | |
| }
 | |
| 
 | |
| // PriorityLevelConfigurationStatus represents the current state of a "request-priority".
 | |
| message PriorityLevelConfigurationStatus {
 | |
|   // `conditions` is the current state of "request-priority".
 | |
|   // +listType=map
 | |
|   // +listMapKey=type
 | |
|   // +patchMergeKey=type
 | |
|   // +patchStrategy=merge
 | |
|   // +optional
 | |
|   repeated PriorityLevelConfigurationCondition conditions = 1;
 | |
| }
 | |
| 
 | |
| // QueuingConfiguration holds the configuration parameters for queuing
 | |
| message QueuingConfiguration {
 | |
|   // `queues` is the number of queues for this priority level. The
 | |
|   // queues exist independently at each apiserver. The value must be
 | |
|   // positive.  Setting it to 1 effectively precludes
 | |
|   // shufflesharding and thus makes the distinguisher method of
 | |
|   // associated flow schemas irrelevant.  This field has a default
 | |
|   // value of 64.
 | |
|   // +optional
 | |
|   optional int32 queues = 1;
 | |
| 
 | |
|   // `handSize` is a small positive number that configures the
 | |
|   // shuffle sharding of requests into queues.  When enqueuing a request
 | |
|   // at this priority level the request's flow identifier (a string
 | |
|   // pair) is hashed and the hash value is used to shuffle the list
 | |
|   // of queues and deal a hand of the size specified here.  The
 | |
|   // request is put into one of the shortest queues in that hand.
 | |
|   // `handSize` must be no larger than `queues`, and should be
 | |
|   // significantly smaller (so that a few heavy flows do not
 | |
|   // saturate most of the queues).  See the user-facing
 | |
|   // documentation for more extensive guidance on setting this
 | |
|   // field.  This field has a default value of 8.
 | |
|   // +optional
 | |
|   optional int32 handSize = 2;
 | |
| 
 | |
|   // `queueLengthLimit` is the maximum number of requests allowed to
 | |
|   // be waiting in a given queue of this priority level at a time;
 | |
|   // excess requests are rejected.  This value must be positive.  If
 | |
|   // not specified, it will be defaulted to 50.
 | |
|   // +optional
 | |
|   optional int32 queueLengthLimit = 3;
 | |
| }
 | |
| 
 | |
| // ResourcePolicyRule is a predicate that matches some resource
 | |
| // requests, testing the request's verb and the target resource. A
 | |
| // ResourcePolicyRule matches a resource request if and only if: (a)
 | |
| // at least one member of verbs matches the request, (b) at least one
 | |
| // member of apiGroups matches the request, (c) at least one member of
 | |
| // resources matches the request, and (d) either (d1) the request does
 | |
| // not specify a namespace (i.e., `Namespace==""`) and clusterScope is
 | |
| // true or (d2) the request specifies a namespace and least one member
 | |
| // of namespaces matches the request's namespace.
 | |
| message ResourcePolicyRule {
 | |
|   // `verbs` is a list of matching verbs and may not be empty.
 | |
|   // "*" matches all verbs and, if present, must be the only entry.
 | |
|   // +listType=set
 | |
|   // Required.
 | |
|   repeated string verbs = 1;
 | |
| 
 | |
|   // `apiGroups` is a list of matching API groups and may not be empty.
 | |
|   // "*" matches all API groups and, if present, must be the only entry.
 | |
|   // +listType=set
 | |
|   // Required.
 | |
|   repeated string apiGroups = 2;
 | |
| 
 | |
|   // `resources` is a list of matching resources (i.e., lowercase
 | |
|   // and plural) with, if desired, subresource.  For example, [
 | |
|   // "services", "nodes/status" ].  This list may not be empty.
 | |
|   // "*" matches all resources and, if present, must be the only entry.
 | |
|   // Required.
 | |
|   // +listType=set
 | |
|   repeated string resources = 3;
 | |
| 
 | |
|   // `clusterScope` indicates whether to match requests that do not
 | |
|   // specify a namespace (which happens either because the resource
 | |
|   // is not namespaced or the request targets all namespaces).
 | |
|   // If this field is omitted or false then the `namespaces` field
 | |
|   // must contain a non-empty list.
 | |
|   // +optional
 | |
|   optional bool clusterScope = 4;
 | |
| 
 | |
|   // `namespaces` is a list of target namespaces that restricts
 | |
|   // matches.  A request that specifies a target namespace matches
 | |
|   // only if either (a) this list contains that target namespace or
 | |
|   // (b) this list contains "*".  Note that "*" matches any
 | |
|   // specified namespace but does not match a request that _does
 | |
|   // not specify_ a namespace (see the `clusterScope` field for
 | |
|   // that).
 | |
|   // This list may be empty, but only if `clusterScope` is true.
 | |
|   // +optional
 | |
|   // +listType=set
 | |
|   repeated string namespaces = 5;
 | |
| }
 | |
| 
 | |
| // ServiceAccountSubject holds detailed information for service-account-kind subject.
 | |
| message ServiceAccountSubject {
 | |
|   // `namespace` is the namespace of matching ServiceAccount objects.
 | |
|   // Required.
 | |
|   optional string namespace = 1;
 | |
| 
 | |
|   // `name` is the name of matching ServiceAccount objects, or "*" to match regardless of name.
 | |
|   // Required.
 | |
|   optional string name = 2;
 | |
| }
 | |
| 
 | |
| // Subject matches the originator of a request, as identified by the request authentication system. There are three
 | |
| // ways of matching an originator; by user, group, or service account.
 | |
| // +union
 | |
| message Subject {
 | |
|   // `kind` indicates which one of the other fields is non-empty.
 | |
|   // Required
 | |
|   // +unionDiscriminator
 | |
|   optional string kind = 1;
 | |
| 
 | |
|   // `user` matches based on username.
 | |
|   // +optional
 | |
|   optional UserSubject user = 2;
 | |
| 
 | |
|   // `group` matches based on user group name.
 | |
|   // +optional
 | |
|   optional GroupSubject group = 3;
 | |
| 
 | |
|   // `serviceAccount` matches ServiceAccounts.
 | |
|   // +optional
 | |
|   optional ServiceAccountSubject serviceAccount = 4;
 | |
| }
 | |
| 
 | |
| // UserSubject holds detailed information for user-kind subject.
 | |
| message UserSubject {
 | |
|   // `name` is the username that matches, or "*" to match all usernames.
 | |
|   // Required.
 | |
|   optional string name = 1;
 | |
| }
 | |
| 
 | 
