From 9964045f7cf8f86134fe8f417468a08b494d25eb Mon Sep 17 00:00:00 2001 From: Peter Morrow Date: Fri, 16 May 2025 14:07:59 -0700 Subject: [PATCH 1/2] Support kubernetes 1.33 and deprecate 1.29 --- codegen/kubernetes | 8 +- gybe/k8s/v1_29/admissionregistration/v1.py | 345 --- gybe/k8s/v1_29/authentication/v1alpha1.py | 46 - gybe/k8s/v1_29/authentication/v1beta1.py | 46 - gybe/k8s/v1_29/pkg/version.py | 35 - gybe/k8s/v1_29/resource/v1alpha2.py | 330 --- gybe/k8s/{v1_29 => v1_33}/__init__.py | 0 .../k8s/v1_33/admissionregistration/v1.py | 461 +++- .../v1_33/admissionregistration/v1alpha1.py | 440 ++++ .../admissionregistration/v1beta1.py | 23 +- gybe/k8s/{v1_29 => v1_33}/api/resource.py | 0 gybe/k8s/{v1_29 => v1_33}/apiextensions/v1.py | 24 +- .../{v1_29 => v1_33}/apiregistration/v1.py | 4 +- .../apiserverinternal/v1alpha1.py | 6 +- gybe/k8s/{v1_29 => v1_33}/apps/v1.py | 79 +- .../k8s/{v1_29 => v1_33}/authentication/v1.py | 46 +- gybe/k8s/{v1_29 => v1_33}/authorization/v1.py | 74 +- gybe/k8s/{v1_29 => v1_33}/autoscaling/v1.py | 6 +- gybe/k8s/{v1_29 => v1_33}/autoscaling/v2.py | 50 +- gybe/k8s/{v1_29 => v1_33}/batch/v1.py | 131 +- gybe/k8s/{v1_29 => v1_33}/certificates/v1.py | 4 +- .../{v1_29 => v1_33}/certificates/v1alpha1.py | 4 +- gybe/k8s/v1_33/certificates/v1beta1.py | 66 + gybe/k8s/{v1_29 => v1_33}/coordination/v1.py | 17 +- gybe/k8s/v1_33/coordination/v1alpha2.py | 66 + gybe/k8s/v1_33/coordination/v1beta1.py | 67 + gybe/k8s/{v1_29 => v1_33}/core/v1.py | 831 ++++-- gybe/k8s/{v1_29 => v1_33}/discovery/v1.py | 81 +- gybe/k8s/{v1_29 => v1_33}/events/v1.py | 12 +- gybe/k8s/{v1_29 => v1_33}/flowcontrol/v1.py | 6 +- gybe/k8s/{v1_29 => v1_33}/meta/v1.py | 75 +- gybe/k8s/{v1_29 => v1_33}/networking/v1.py | 125 +- .../networking/v1beta1.py} | 18 +- gybe/k8s/{v1_29 => v1_33}/node/v1.py | 8 +- gybe/k8s/v1_33/pkg/version.py | 44 + gybe/k8s/{v1_29 => v1_33}/policy/v1.py | 15 +- gybe/k8s/{v1_29 => v1_33}/rbac/v1.py | 12 +- gybe/k8s/v1_33/resource/v1alpha3.py | 925 +++++++ gybe/k8s/v1_33/resource/v1beta1.py | 868 +++++++ gybe/k8s/v1_33/resource/v1beta2.py | 860 +++++++ gybe/k8s/{v1_29 => v1_33}/scheduling/v1.py | 4 +- gybe/k8s/{v1_29 => v1_33}/storage/v1.py | 54 +- gybe/k8s/{v1_29 => v1_33}/storage/v1alpha1.py | 4 +- gybe/k8s/v1_33/storage/v1beta1.py | 42 + gybe/k8s/v1_33/storagemigration/v1alpha1.py | 101 + gybe/k8s/{v1_29 => v1_33}/util/intstr.py | 0 kubernetes | 2 +- .../gybe/k8s/v1_29/__init__.py | 1 - .../k8s/v1_29/admissionregistration/v1.py | 328 --- .../gybe/k8s/v1_29/authentication/v1alpha1.py | 39 - .../gybe/k8s/v1_29/authentication/v1beta1.py | 39 - .../gybe/k8s/v1_29/flowcontrol/v1.py | 410 --- .../gybe/k8s/v1_29/flowcontrol/v1beta3.py | 408 --- .../gybe/k8s/v1_29/pkg/version.py | 31 - .../gybe/k8s/v1_29/resource/v1alpha2.py | 297 --- .../gybe/k8s/v1_29/util/intstr.py | 5 - .../gybe/k8s/v1_33/__init__.py | 1 + .../admissionregistration/v1.py} | 470 +++- .../v1_33/admissionregistration/v1alpha1.py | 440 ++++ .../v1_33/admissionregistration/v1beta1.py | 42 +- .../gybe/k8s/{v1_29 => v1_33}/api/resource.py | 3 +- .../k8s/{v1_29 => v1_33}/apiextensions/v1.py | 156 +- .../{v1_29 => v1_33}/apiregistration/v1.py | 50 +- .../apiserverinternal/v1alpha1.py | 47 +- .../gybe/k8s/{v1_29 => v1_33}/apps/v1.py | 288 ++- .../k8s/{v1_29 => v1_33}/authentication/v1.py | 121 +- .../k8s/{v1_29 => v1_33}/authorization/v1.py | 180 +- .../k8s/{v1_29 => v1_33}/autoscaling/v1.py | 70 +- .../k8s/{v1_29 => v1_33}/autoscaling/v2.py | 238 +- .../gybe/k8s/{v1_29 => v1_33}/batch/v1.py | 243 +- .../k8s/{v1_29 => v1_33}/certificates/v1.py | 44 +- .../{v1_29 => v1_33}/certificates/v1alpha1.py | 29 +- .../gybe/k8s/v1_33/certificates/v1beta1.py | 66 + .../k8s/{v1_29 => v1_33}/coordination/v1.py | 42 +- .../gybe/k8s/v1_33/coordination/v1alpha2.py | 66 + .../gybe/k8s/v1_33/coordination/v1beta1.py | 67 + .../gybe/k8s/{v1_29 => v1_33}/core/v1.py | 2226 +++++++++++------ .../gybe/k8s/{v1_29 => v1_33}/discovery/v1.py | 137 +- .../gybe/k8s/{v1_29 => v1_33}/events/v1.py | 37 +- .../gybe/k8s/v1_33/flowcontrol/v1.py | 14 +- .../gybe/k8s/{v1_29 => v1_33}/meta/v1.py | 218 +- .../k8s/{v1_29 => v1_33}/networking/v1.py | 296 ++- .../networking/v1beta1.py} | 72 +- .../gybe/k8s/{v1_29 => v1_33}/node/v1.py | 39 +- .../gybe/k8s/v1_33/pkg/version.py | 44 + .../gybe/k8s/{v1_29 => v1_33}/policy/v1.py | 55 +- .../gybe/k8s/{v1_29 => v1_33}/rbac/v1.py | 83 +- .../gybe/k8s/v1_33/resource/v1alpha3.py | 925 +++++++ .../gybe/k8s/v1_33/resource/v1beta1.py | 868 +++++++ .../gybe/k8s/v1_33/resource/v1beta2.py | 860 +++++++ .../k8s/{v1_29 => v1_33}/scheduling/v1.py | 21 +- .../gybe/k8s/{v1_29 => v1_33}/storage/v1.py | 171 +- .../k8s/{v1_29 => v1_33}/storage/v1alpha1.py | 21 +- .../gybe/k8s/v1_33/storage/v1beta1.py | 42 + .../k8s/v1_33/storagemigration/v1alpha1.py | 101 + .../gybe/k8s/v1_33/util/intstr.py | 3 + tests/test_kubernetes.py | 26 +- 97 files changed, 12202 insertions(+), 4743 deletions(-) delete mode 100644 gybe/k8s/v1_29/admissionregistration/v1.py delete mode 100644 gybe/k8s/v1_29/authentication/v1alpha1.py delete mode 100644 gybe/k8s/v1_29/authentication/v1beta1.py delete mode 100644 gybe/k8s/v1_29/pkg/version.py delete mode 100644 gybe/k8s/v1_29/resource/v1alpha2.py rename gybe/k8s/{v1_29 => v1_33}/__init__.py (100%) rename tests/data/codegen-outputs/gybe/k8s/v1_29/admissionregistration/v1beta1.py => gybe/k8s/v1_33/admissionregistration/v1.py (55%) create mode 100644 gybe/k8s/v1_33/admissionregistration/v1alpha1.py rename gybe/k8s/{v1_29 => v1_33}/admissionregistration/v1beta1.py (97%) rename gybe/k8s/{v1_29 => v1_33}/api/resource.py (100%) rename gybe/k8s/{v1_29 => v1_33}/apiextensions/v1.py (96%) rename gybe/k8s/{v1_29 => v1_33}/apiregistration/v1.py (98%) rename gybe/k8s/{v1_29 => v1_33}/apiserverinternal/v1alpha1.py (96%) rename gybe/k8s/{v1_29 => v1_33}/apps/v1.py (91%) rename gybe/k8s/{v1_29 => v1_33}/authentication/v1.py (97%) rename gybe/k8s/{v1_29 => v1_33}/authorization/v1.py (74%) rename gybe/k8s/{v1_29 => v1_33}/autoscaling/v1.py (97%) rename gybe/k8s/{v1_29 => v1_33}/autoscaling/v2.py (90%) rename gybe/k8s/{v1_29 => v1_33}/batch/v1.py (75%) rename gybe/k8s/{v1_29 => v1_33}/certificates/v1.py (99%) rename gybe/k8s/{v1_29 => v1_33}/certificates/v1alpha1.py (97%) create mode 100644 gybe/k8s/v1_33/certificates/v1beta1.py rename gybe/k8s/{v1_29 => v1_33}/coordination/v1.py (65%) create mode 100644 gybe/k8s/v1_33/coordination/v1alpha2.py create mode 100644 gybe/k8s/v1_33/coordination/v1beta1.py rename gybe/k8s/{v1_29 => v1_33}/core/v1.py (88%) rename gybe/k8s/{v1_29 => v1_33}/discovery/v1.py (64%) rename gybe/k8s/{v1_29 => v1_33}/events/v1.py (93%) rename gybe/k8s/{v1_29 => v1_33}/flowcontrol/v1.py (99%) rename gybe/k8s/{v1_29 => v1_33}/meta/v1.py (94%) rename gybe/k8s/{v1_29 => v1_33}/networking/v1.py (82%) rename gybe/k8s/{v1_29/networking/v1alpha1.py => v1_33/networking/v1beta1.py} (88%) rename gybe/k8s/{v1_29 => v1_33}/node/v1.py (95%) create mode 100644 gybe/k8s/v1_33/pkg/version.py rename gybe/k8s/{v1_29 => v1_33}/policy/v1.py (93%) rename gybe/k8s/{v1_29 => v1_33}/rbac/v1.py (96%) create mode 100644 gybe/k8s/v1_33/resource/v1alpha3.py create mode 100644 gybe/k8s/v1_33/resource/v1beta1.py create mode 100644 gybe/k8s/v1_33/resource/v1beta2.py rename gybe/k8s/{v1_29 => v1_33}/scheduling/v1.py (95%) rename gybe/k8s/{v1_29 => v1_33}/storage/v1.py (90%) rename gybe/k8s/{v1_29 => v1_33}/storage/v1alpha1.py (95%) create mode 100644 gybe/k8s/v1_33/storage/v1beta1.py create mode 100644 gybe/k8s/v1_33/storagemigration/v1alpha1.py rename gybe/k8s/{v1_29 => v1_33}/util/intstr.py (100%) delete mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_29/__init__.py delete mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_29/admissionregistration/v1.py delete mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_29/authentication/v1alpha1.py delete mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_29/authentication/v1beta1.py delete mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_29/flowcontrol/v1.py delete mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_29/flowcontrol/v1beta3.py delete mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_29/pkg/version.py delete mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_29/resource/v1alpha2.py delete mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_29/util/intstr.py create mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_33/__init__.py rename tests/data/codegen-outputs/gybe/k8s/{v1_29/admissionregistration/v1alpha1.py => v1_33/admissionregistration/v1.py} (54%) create mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_33/admissionregistration/v1alpha1.py rename gybe/k8s/v1_29/admissionregistration/v1alpha1.py => tests/data/codegen-outputs/gybe/k8s/v1_33/admissionregistration/v1beta1.py (95%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/api/resource.py (63%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/apiextensions/v1.py (90%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/apiregistration/v1.py (88%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/apiserverinternal/v1alpha1.py (85%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/apps/v1.py (85%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/authentication/v1.py (85%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/authorization/v1.py (66%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/autoscaling/v1.py (87%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/autoscaling/v2.py (79%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/batch/v1.py (71%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/certificates/v1.py (94%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/certificates/v1alpha1.py (89%) create mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_33/certificates/v1beta1.py rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/coordination/v1.py (57%) create mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_33/coordination/v1alpha2.py create mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_33/coordination/v1beta1.py rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/core/v1.py (82%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/discovery/v1.py (59%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/events/v1.py (87%) rename gybe/k8s/v1_29/flowcontrol/v1beta3.py => tests/data/codegen-outputs/gybe/k8s/v1_33/flowcontrol/v1.py (97%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/meta/v1.py (88%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/networking/v1.py (75%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29/networking/v1alpha1.py => v1_33/networking/v1beta1.py} (74%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/node/v1.py (84%) create mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_33/pkg/version.py rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/policy/v1.py (86%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/rbac/v1.py (85%) create mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_33/resource/v1alpha3.py create mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_33/resource/v1beta1.py create mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_33/resource/v1beta2.py rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/scheduling/v1.py (84%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/storage/v1.py (85%) rename tests/data/codegen-outputs/gybe/k8s/{v1_29 => v1_33}/storage/v1alpha1.py (85%) create mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_33/storage/v1beta1.py create mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_33/storagemigration/v1alpha1.py create mode 100644 tests/data/codegen-outputs/gybe/k8s/v1_33/util/intstr.py diff --git a/codegen/kubernetes b/codegen/kubernetes index 7494ddb..426330f 100755 --- a/codegen/kubernetes +++ b/codegen/kubernetes @@ -14,9 +14,9 @@ function gen_k8s() { } # https://kubernetes.io/releases/ -gen_k8s 'v1.29.13' 'v1_29' -gen_k8s 'v1.30.9' 'v1_30' -gen_k8s 'v1.31.5' 'v1_31' -gen_k8s 'v1.32.1' 'v1_32' +gen_k8s 'v1.30.13' 'v1_30' +gen_k8s 'v1.31.9' 'v1_31' +gen_k8s 'v1.32.5' 'v1_32' +gen_k8s 'v1.33.0' 'v1_33' (cd kubernetes && git checkout master -q) diff --git a/gybe/k8s/v1_29/admissionregistration/v1.py b/gybe/k8s/v1_29/admissionregistration/v1.py deleted file mode 100644 index e09c7e3..0000000 --- a/gybe/k8s/v1_29/admissionregistration/v1.py +++ /dev/null @@ -1,345 +0,0 @@ -"""Models generated from Kubernetes OpenAPI Spec.""" - -from __future__ import annotations - -from dataclasses import dataclass -from typing import List, Literal, Optional - -import gybe.k8s.v1_29.meta.v1 -from gybe.k8s.types import K8sResource, K8sSpec - - -@dataclass -class MatchCondition(K8sSpec): - """MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. - - Attributes: - expression: Expression represents the expression which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, - organized into CEL variables: 'object' - The object from the incoming request. The value is null - for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal - (user or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz 'authorizer.requestResource' - A CEL - ResourceCheck constructed from the 'authorizer' and configured with the request resource. - Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ Required. - name: Name is an identifier for this match condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. A good name should be descriptive of the - associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', - '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', - or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an - optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') Required. - - """ - - name: str - expression: str - - -@dataclass -class MutatingWebhook(K8sSpec): - """MutatingWebhook describes an admission webhook and the resources and operations it applies to. - - Attributes: - admissionReviewVersions: AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` - versions the Webhook expects. API server will try to use first version in the list which it - supports. If none of the versions specified in this list supported by API server, validation will - fail for this object. If a persisted webhook configuration specifies allowed versions and does not - include any versions known to the API Server, calls to the webhook will fail and be subject to the - failure policy. - clientConfig: ClientConfig defines how to communicate with the hook. Required - failurePolicy: FailurePolicy defines how unrecognized errors from the admission endpoint are handled - - allowed values are Ignore or Fail. Defaults to Fail. - matchConditions: MatchConditions is a list of conditions that must be met for a request to be sent to - this webhook. Match conditions filter requests that have already been matched by the rules, - namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. - There are a maximum of 64 match conditions allowed. The exact matching logic is (in order): 1. - If ANY matchCondition evaluates to FALSE, the webhook is skipped. 2. If ALL matchConditions - evaluate to TRUE, the webhook is called. 3. If any matchCondition evaluates to an error (but - none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, - the error is ignored and the webhook is skipped This is a beta feature and managed by the - AdmissionWebhookMatchConditions feature gate. - matchPolicy: matchPolicy defines how the 'rules' list is used to match incoming requests. Allowed - values are 'Exact' or 'Equivalent'. - Exact: match a request only if it exactly matches a - specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and - extensions/v1beta1, but 'rules' only included `apiGroups:['apps'], apiVersions:['v1'], resources: - ['deployments']`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the - webhook. - Equivalent: match a request if modifies a resource listed in rules, even via another - API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and - extensions/v1beta1, and 'rules' only included `apiGroups:['apps'], apiVersions:['v1'], resources: - ['deployments']`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 - and sent to the webhook. Defaults to 'Equivalent' - name: The name of the admission webhook. Name should be fully qualified, e.g., - imagepolicy.kubernetes.io, where 'imagepolicy' is the name of the webhook, and kubernetes.io is - the name of the organization. Required. - namespaceSelector: NamespaceSelector decides whether to run the webhook on an object based on whether - the namespace for that object matches the selector. If the object itself is a namespace, the - matching is performed on object.metadata.labels. If the object is another cluster scoped resource, - it never skips the webhook. For example, to run the webhook on any objects whose namespace is not - associated with 'runlevel' of '0' or '1'; you will set the selector as follows: - 'namespaceSelector': { 'matchExpressions': [ { 'key': 'runlevel', 'operator': - 'NotIn', 'values': [ '0', '1' ] } ] } If instead you want to - only run the webhook on any objects whose namespace is associated with the 'environment' of 'prod' - or 'staging'; you will set the selector as follows: 'namespaceSelector': { 'matchExpressions': [ - { 'key': 'environment', 'operator': 'In', 'values': [ 'prod', - 'staging' ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with- - objects/labels/ for more examples of label selectors. Default to the empty LabelSelector, which - matches everything. - objectSelector: ObjectSelector decides whether to run the webhook based on if the object has matching - labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to - the webhook, and is considered to match if either object matches the selector. A null object - (oldObject in the case of create, or newObject in the case of delete) or an object that cannot - have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. - Use the object selector only if the webhook is opt-in, because end users may skip the admission - webhook by setting the labels. Default to the empty LabelSelector, which matches everything. - reinvocationPolicy: reinvocationPolicy indicates whether this webhook should be called multiple times - as part of a single admission evaluation. Allowed values are 'Never' and 'IfNeeded'. Never: the - webhook will not be called more than once in a single admission evaluation. IfNeeded: the webhook - will be called at least one additional time as part of the admission evaluation if the object - being admitted is modified by other admission plugins after the initial webhook call. Webhooks - that specify this option *must* be idempotent, able to process objects they previously admitted. - Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional - invocations result in further modifications to the object, webhooks are not guaranteed to be - invoked again. * webhooks that use this option may be reordered to minimize the number of - additional invocations. * to validate an object after all mutations are guaranteed complete, use a - validating admission webhook instead. Defaults to 'Never'. - rules: Rules describes what operations on what resources/subresources the webhook cares about. The - webhook cares about an operation if it matches _any_ Rule. However, in order to prevent - ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state - which cannot be recovered from without completely disabling the plugin, - ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests - for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. - sideEffects: SideEffects states whether this webhook has side effects. Acceptable values are: None, - NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side - effects MUST implement a reconciliation system, since a request may be rejected by a future step - in the admission chain and the side effects therefore need to be undone. Requests with the dryRun - attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. - timeoutSeconds: TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the - webhook call will be ignored or the API call will fail based on the failure policy. The timeout - value must be between 1 and 30 seconds. Default to 10 seconds. - - """ - - name: str - clientConfig: WebhookClientConfig - sideEffects: str - admissionReviewVersions: List[str] - failurePolicy: Optional[str] = None - matchConditions: Optional[List[MatchCondition]] = None - matchPolicy: Optional[str] = None - namespaceSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None - objectSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None - reinvocationPolicy: Optional[str] = None - rules: Optional[List[RuleWithOperations]] = None - timeoutSeconds: Optional[int] = None - - -@dataclass -class MutatingWebhookConfiguration(K8sResource): - """MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or - reject and may change the object. - - Attributes: - apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers - should convert recognized schemas to the latest internal value, and may reject unrecognized - values. - kind: Kind is a string value representing the REST resource this object represents. Servers may infer - this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. - metadata: Standard object metadata; - webhooks: Webhooks is a list of webhooks and the affected resources and operations. - - """ - - apiVersion: Literal['admissionregistration.k8s.io/v1'] = 'admissionregistration.k8s.io/v1' - kind: Literal['MutatingWebhookConfiguration'] = 'MutatingWebhookConfiguration' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None - webhooks: Optional[List[MutatingWebhook]] = None - - -@dataclass -class RuleWithOperations(K8sSpec): - """RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the - tuple expansions are valid. - - Attributes: - apiGroups: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, - the length of the slice must be one. Required. - apiVersions: APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is - present, the length of the slice must be one. Required. - operations: Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, - CONNECT or * for all of those operations and any future admission operations that are added. If - '*' is present, the length of the slice must be one. Required. - resources: Resources is a list of resources this rule applies to. For example: 'pods' means pods. - 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. - 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all - resources and their subresources. If wildcard is present, the validation rule will ensure - resources do not overlap with each other. Depending on the enclosing object, subresources might - not be allowed. Required. - scope: scope specifies the scope of this rule. Valid values are 'Cluster', 'Namespaced', and '*' - 'Cluster' means that only cluster-scoped resources will match this rule. Namespace API objects are - cluster-scoped. 'Namespaced' means that only namespaced resources will match this rule. '*' means - that there are no scope restrictions. Subresources match the scope of their parent resource. - Default is '*'. - - """ - - apiGroups: Optional[List[str]] = None - apiVersions: Optional[List[str]] = None - operations: Optional[List[str]] = None - resources: Optional[List[str]] = None - scope: Optional[str] = None - - -@dataclass -class ServiceReference(K8sSpec): - """ServiceReference holds a reference to Service.legacy.k8s.io - Attributes: - name: `name` is the name of the service. Required - namespace: `namespace` is the namespace of the service. Required - path: `path` is an optional URL path which will be sent in any request to this service. - port: If specified, the port on the service that hosting webhook. Default to 443 for backward - compatibility. `port` should be a valid port number (1-65535, inclusive). - - """ - - namespace: str - name: str - path: Optional[str] = None - port: Optional[int] = None - - -@dataclass -class ValidatingWebhook(K8sSpec): - """ValidatingWebhook describes an admission webhook and the resources and operations it applies to. - - Attributes: - admissionReviewVersions: AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` - versions the Webhook expects. API server will try to use first version in the list which it - supports. If none of the versions specified in this list supported by API server, validation will - fail for this object. If a persisted webhook configuration specifies allowed versions and does not - include any versions known to the API Server, calls to the webhook will fail and be subject to the - failure policy. - clientConfig: ClientConfig defines how to communicate with the hook. Required - failurePolicy: FailurePolicy defines how unrecognized errors from the admission endpoint are handled - - allowed values are Ignore or Fail. Defaults to Fail. - matchConditions: MatchConditions is a list of conditions that must be met for a request to be sent to - this webhook. Match conditions filter requests that have already been matched by the rules, - namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. - There are a maximum of 64 match conditions allowed. The exact matching logic is (in order): 1. - If ANY matchCondition evaluates to FALSE, the webhook is skipped. 2. If ALL matchConditions - evaluate to TRUE, the webhook is called. 3. If any matchCondition evaluates to an error (but - none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, - the error is ignored and the webhook is skipped This is a beta feature and managed by the - AdmissionWebhookMatchConditions feature gate. - matchPolicy: matchPolicy defines how the 'rules' list is used to match incoming requests. Allowed - values are 'Exact' or 'Equivalent'. - Exact: match a request only if it exactly matches a - specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and - extensions/v1beta1, but 'rules' only included `apiGroups:['apps'], apiVersions:['v1'], resources: - ['deployments']`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the - webhook. - Equivalent: match a request if modifies a resource listed in rules, even via another - API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and - extensions/v1beta1, and 'rules' only included `apiGroups:['apps'], apiVersions:['v1'], resources: - ['deployments']`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 - and sent to the webhook. Defaults to 'Equivalent' - name: The name of the admission webhook. Name should be fully qualified, e.g., - imagepolicy.kubernetes.io, where 'imagepolicy' is the name of the webhook, and kubernetes.io is - the name of the organization. Required. - namespaceSelector: NamespaceSelector decides whether to run the webhook on an object based on whether - the namespace for that object matches the selector. If the object itself is a namespace, the - matching is performed on object.metadata.labels. If the object is another cluster scoped resource, - it never skips the webhook. For example, to run the webhook on any objects whose namespace is not - associated with 'runlevel' of '0' or '1'; you will set the selector as follows: - 'namespaceSelector': { 'matchExpressions': [ { 'key': 'runlevel', 'operator': - 'NotIn', 'values': [ '0', '1' ] } ] } If instead you want to - only run the webhook on any objects whose namespace is associated with the 'environment' of 'prod' - or 'staging'; you will set the selector as follows: 'namespaceSelector': { 'matchExpressions': [ - { 'key': 'environment', 'operator': 'In', 'values': [ 'prod', - 'staging' ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with- - objects/labels for more examples of label selectors. Default to the empty LabelSelector, which - matches everything. - objectSelector: ObjectSelector decides whether to run the webhook based on if the object has matching - labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to - the webhook, and is considered to match if either object matches the selector. A null object - (oldObject in the case of create, or newObject in the case of delete) or an object that cannot - have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. - Use the object selector only if the webhook is opt-in, because end users may skip the admission - webhook by setting the labels. Default to the empty LabelSelector, which matches everything. - rules: Rules describes what operations on what resources/subresources the webhook cares about. The - webhook cares about an operation if it matches _any_ Rule. However, in order to prevent - ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state - which cannot be recovered from without completely disabling the plugin, - ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests - for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. - sideEffects: SideEffects states whether this webhook has side effects. Acceptable values are: None, - NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side - effects MUST implement a reconciliation system, since a request may be rejected by a future step - in the admission chain and the side effects therefore need to be undone. Requests with the dryRun - attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. - timeoutSeconds: TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the - webhook call will be ignored or the API call will fail based on the failure policy. The timeout - value must be between 1 and 30 seconds. Default to 10 seconds. - - """ - - name: str - clientConfig: WebhookClientConfig - sideEffects: str - admissionReviewVersions: List[str] - failurePolicy: Optional[str] = None - matchConditions: Optional[List[MatchCondition]] = None - matchPolicy: Optional[str] = None - namespaceSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None - objectSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None - rules: Optional[List[RuleWithOperations]] = None - timeoutSeconds: Optional[int] = None - - -@dataclass -class ValidatingWebhookConfiguration(K8sResource): - """ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or - reject and object without changing it. - - Attributes: - apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers - should convert recognized schemas to the latest internal value, and may reject unrecognized - values. - kind: Kind is a string value representing the REST resource this object represents. Servers may infer - this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. - metadata: Standard object metadata; - webhooks: Webhooks is a list of webhooks and the affected resources and operations. - - """ - - apiVersion: Literal['admissionregistration.k8s.io/v1'] = 'admissionregistration.k8s.io/v1' - kind: Literal['ValidatingWebhookConfiguration'] = 'ValidatingWebhookConfiguration' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None - webhooks: Optional[List[ValidatingWebhook]] = None - - -@dataclass -class WebhookClientConfig(K8sSpec): - """WebhookClientConfig contains the information to make a TLS connection with the webhook - Attributes: - caBundle: `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server - certificate. If unspecified, system trust roots on the apiserver are used. - service: `service` is a reference to the service for this webhook. Either `service` or `url` must be - specified. If the webhook is running within the cluster, then you should use `service`. - url: `url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). - Exactly one of `url` or `service` must be specified. The `host` should not refer to a service - running in the cluster; use the `service` field instead. The host might be resolved via external - DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a - layering violation). `host` may also be an IP address. Please note that using `localhost` or - `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which - run an apiserver which might need to make calls to this webhook. Such installs are likely to be - non-portable, i.e., not easy to turn up in a new cluster. The scheme must be 'https'; the URL - must begin with 'https://'. A path is optional, and if present may be any string permissible in a - URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster - identifier. Attempting to use a user or basic auth e.g. 'user:password@' is not allowed. - Fragments ('#...') and query parameters ('?...') are not allowed, either. - - """ - - caBundle: Optional[str] = None - service: Optional[ServiceReference] = None - url: Optional[str] = None diff --git a/gybe/k8s/v1_29/authentication/v1alpha1.py b/gybe/k8s/v1_29/authentication/v1alpha1.py deleted file mode 100644 index 1d39b37..0000000 --- a/gybe/k8s/v1_29/authentication/v1alpha1.py +++ /dev/null @@ -1,46 +0,0 @@ -"""Models generated from Kubernetes OpenAPI Spec.""" - -from __future__ import annotations - -from dataclasses import dataclass -from typing import Literal, Optional - -import gybe.k8s.v1_29.authentication.v1 -import gybe.k8s.v1_29.meta.v1 -from gybe.k8s.types import K8sResource, K8sSpec - - -@dataclass -class SelfSubjectReview(K8sResource): - """SelfSubjectReview contains the user information that the kube-apiserver has about the user making this - request. When using impersonation, users will receive the user info of the user being impersonated. - If impersonation or request header authentication is used, any extra keys will have their case ignored - and returned as lowercase. - - Attributes: - apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers - should convert recognized schemas to the latest internal value, and may reject unrecognized - values. - kind: Kind is a string value representing the REST resource this object represents. Servers may infer - this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. - metadata: Standard object's metadata. - status: Status is filled in by the server with the user attributes. - - """ - - apiVersion: Literal['authentication.k8s.io/v1alpha1'] = 'authentication.k8s.io/v1alpha1' - kind: Literal['SelfSubjectReview'] = 'SelfSubjectReview' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None - status: Optional[SelfSubjectReviewStatus] = None - - -@dataclass -class SelfSubjectReviewStatus(K8sSpec): - """SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user. - - Attributes: - userInfo: User attributes of the user making this request. - - """ - - userInfo: Optional[gybe.k8s.v1_29.authentication.v1.UserInfo] = None diff --git a/gybe/k8s/v1_29/authentication/v1beta1.py b/gybe/k8s/v1_29/authentication/v1beta1.py deleted file mode 100644 index 0bc9a6a..0000000 --- a/gybe/k8s/v1_29/authentication/v1beta1.py +++ /dev/null @@ -1,46 +0,0 @@ -"""Models generated from Kubernetes OpenAPI Spec.""" - -from __future__ import annotations - -from dataclasses import dataclass -from typing import Literal, Optional - -import gybe.k8s.v1_29.authentication.v1 -import gybe.k8s.v1_29.meta.v1 -from gybe.k8s.types import K8sResource, K8sSpec - - -@dataclass -class SelfSubjectReview(K8sResource): - """SelfSubjectReview contains the user information that the kube-apiserver has about the user making this - request. When using impersonation, users will receive the user info of the user being impersonated. - If impersonation or request header authentication is used, any extra keys will have their case ignored - and returned as lowercase. - - Attributes: - apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers - should convert recognized schemas to the latest internal value, and may reject unrecognized - values. - kind: Kind is a string value representing the REST resource this object represents. Servers may infer - this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. - metadata: Standard object's metadata. - status: Status is filled in by the server with the user attributes. - - """ - - apiVersion: Literal['authentication.k8s.io/v1beta1'] = 'authentication.k8s.io/v1beta1' - kind: Literal['SelfSubjectReview'] = 'SelfSubjectReview' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None - status: Optional[SelfSubjectReviewStatus] = None - - -@dataclass -class SelfSubjectReviewStatus(K8sSpec): - """SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user. - - Attributes: - userInfo: User attributes of the user making this request. - - """ - - userInfo: Optional[gybe.k8s.v1_29.authentication.v1.UserInfo] = None diff --git a/gybe/k8s/v1_29/pkg/version.py b/gybe/k8s/v1_29/pkg/version.py deleted file mode 100644 index 362f5bc..0000000 --- a/gybe/k8s/v1_29/pkg/version.py +++ /dev/null @@ -1,35 +0,0 @@ -"""Models generated from Kubernetes OpenAPI Spec.""" - -from __future__ import annotations - -from dataclasses import dataclass - -from gybe.k8s.types import K8sSpec - - -@dataclass -class Info(K8sSpec): - """Info contains versioning information. how we'll want to distribute that information. - - Attributes: - buildDate: ... - compiler: ... - gitCommit: ... - gitTreeState: ... - gitVersion: ... - goVersion: ... - major: ... - minor: ... - platform: ... - - """ - - major: str - minor: str - gitVersion: str - gitCommit: str - gitTreeState: str - buildDate: str - goVersion: str - compiler: str - platform: str diff --git a/gybe/k8s/v1_29/resource/v1alpha2.py b/gybe/k8s/v1_29/resource/v1alpha2.py deleted file mode 100644 index e42ea5d..0000000 --- a/gybe/k8s/v1_29/resource/v1alpha2.py +++ /dev/null @@ -1,330 +0,0 @@ -"""Models generated from Kubernetes OpenAPI Spec.""" - -from __future__ import annotations - -from dataclasses import dataclass -from typing import List, Literal, Optional - -import gybe.k8s.v1_29.core.v1 -import gybe.k8s.v1_29.meta.v1 -from gybe.k8s.types import K8sResource, K8sSpec - - -@dataclass -class AllocationResult(K8sSpec): - """AllocationResult contains attributes of an allocated resource. - - Attributes: - availableOnNodes: This field will get set by the resource driver after it has allocated the resource - to inform the scheduler where it can schedule Pods using the ResourceClaim. Setting this field is - optional. If null, the resource is available everywhere. - resourceHandles: ResourceHandles contain the state associated with an allocation that should be - maintained throughout the lifetime of a claim. Each ResourceHandle contains data that should be - passed to a specific kubelet plugin once it lands on a node. This data is returned by the driver - after a successful allocation and is opaque to Kubernetes. Driver documentation may explain to - users how to interpret this data if needed. Setting this field is optional. It has a maximum size - of 32 entries. If null (or empty), it is assumed this allocation will be processed by a single - kubelet plugin with no ResourceHandle data attached. The name of the kubelet plugin invoked will - match the DriverName set in the ResourceClaimStatus this AllocationResult is embedded in. - shareable: Shareable determines whether the resource supports more than one consumer at a time. - - """ - - availableOnNodes: Optional[gybe.k8s.v1_29.core.v1.NodeSelector] = None - resourceHandles: Optional[List[ResourceHandle]] = None - shareable: Optional[bool] = None - - -@dataclass -class PodSchedulingContext(K8sResource): - """PodSchedulingContext objects hold information that is needed to schedule a Pod with ResourceClaims - that use 'WaitForFirstConsumer' allocation mode. This is an alpha type and requires enabling the - DynamicResourceAllocation feature gate. - - Attributes: - apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers - should convert recognized schemas to the latest internal value, and may reject unrecognized - values. - kind: Kind is a string value representing the REST resource this object represents. Servers may infer - this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. - metadata: Standard object metadata - spec: Spec describes where resources for the Pod are needed. - status: Status describes where resources for the Pod can be allocated. - - """ - - spec: PodSchedulingContextSpec - apiVersion: Literal['resource.k8s.io/v1alpha2'] = 'resource.k8s.io/v1alpha2' - kind: Literal['PodSchedulingContext'] = 'PodSchedulingContext' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None - status: Optional[PodSchedulingContextStatus] = None - - -@dataclass -class PodSchedulingContextSpec(K8sSpec): - """PodSchedulingContextSpec describes where resources for the Pod are needed. - - Attributes: - potentialNodes: PotentialNodes lists nodes where the Pod might be able to run. The size of this field - is limited to 128. This is large enough for many clusters. Larger clusters may need more attempts - to find a node that suits all pending resources. This may get increased in the future, but not - reduced. - selectedNode: SelectedNode is the node for which allocation of ResourceClaims that are referenced by - the Pod and that use 'WaitForFirstConsumer' allocation is to be attempted. - - """ - - potentialNodes: Optional[List[str]] = None - selectedNode: Optional[str] = None - - -@dataclass -class PodSchedulingContextStatus(K8sSpec): - """PodSchedulingContextStatus describes where resources for the Pod can be allocated. - - Attributes: - resourceClaims: ResourceClaims describes resource availability for each pod.spec.resourceClaim entry - where the corresponding ResourceClaim uses 'WaitForFirstConsumer' allocation mode. - - """ - - resourceClaims: Optional[List[ResourceClaimSchedulingStatus]] = None - - -@dataclass -class ResourceClaim(K8sResource): - """ResourceClaim describes which resources are needed by a resource consumer. Its status tracks whether - the resource has been allocated and what the resulting attributes are. This is an alpha type and - requires enabling the DynamicResourceAllocation feature gate. - - Attributes: - apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers - should convert recognized schemas to the latest internal value, and may reject unrecognized - values. - kind: Kind is a string value representing the REST resource this object represents. Servers may infer - this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. - metadata: Standard object metadata - spec: Spec describes the desired attributes of a resource that then needs to be allocated. It can only - be set once when creating the ResourceClaim. - status: Status describes whether the resource is available and with which attributes. - - """ - - spec: ResourceClaimSpec - apiVersion: Literal['resource.k8s.io/v1alpha2'] = 'resource.k8s.io/v1alpha2' - kind: Literal['ResourceClaim'] = 'ResourceClaim' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None - status: Optional[ResourceClaimStatus] = None - - -@dataclass -class ResourceClaimConsumerReference(K8sSpec): - """ResourceClaimConsumerReference contains enough information to let you locate the consumer of a - ResourceClaim. The user must be a resource in the same namespace as the ResourceClaim. - - Attributes: - apiGroup: APIGroup is the group for the resource being referenced. It is empty for the core API. This - matches the group in the APIVersion that is used when creating the resources. - name: Name is the name of resource being referenced. - resource: Resource is the type of resource being referenced, for example 'pods'. - uid: UID identifies exactly one incarnation of the resource. - - """ - - resource: str - name: str - uid: str - apiGroup: Optional[str] = None - - -@dataclass -class ResourceClaimParametersReference(K8sSpec): - """ResourceClaimParametersReference contains enough information to let you locate the parameters for a - ResourceClaim. The object must be in the same namespace as the ResourceClaim. - - Attributes: - apiGroup: APIGroup is the group for the resource being referenced. It is empty for the core API. This - matches the group in the APIVersion that is used when creating the resources. - kind: Kind is the type of resource being referenced. This is the same value as in the parameter - object's metadata, for example 'ConfigMap'. - name: Name is the name of resource being referenced. - - """ - - kind: str - name: str - apiGroup: Optional[str] = None - - -@dataclass -class ResourceClaimSchedulingStatus(K8sSpec): - """ResourceClaimSchedulingStatus contains information about one particular ResourceClaim with - 'WaitForFirstConsumer' allocation mode. - - Attributes: - name: Name matches the pod.spec.resourceClaims[*].Name field. - unsuitableNodes: UnsuitableNodes lists nodes that the ResourceClaim cannot be allocated for. The size - of this field is limited to 128, the same as for PodSchedulingSpec.PotentialNodes. This may get - increased in the future, but not reduced. - - """ - - name: Optional[str] = None - unsuitableNodes: Optional[List[str]] = None - - -@dataclass -class ResourceClaimSpec(K8sSpec): - """ResourceClaimSpec defines how a resource is to be allocated. - - Attributes: - allocationMode: Allocation can start immediately or when a Pod wants to use the resource. - 'WaitForFirstConsumer' is the default. - parametersRef: ParametersRef references a separate object with arbitrary parameters that will be used - by the driver when allocating a resource for the claim. The object must be in the same namespace - as the ResourceClaim. - resourceClassName: ResourceClassName references the driver and additional parameters via the name of a - ResourceClass that was created as part of the driver deployment. - - """ - - resourceClassName: str - allocationMode: Optional[str] = None - parametersRef: Optional[ResourceClaimParametersReference] = None - - -@dataclass -class ResourceClaimStatus(K8sSpec): - """ResourceClaimStatus tracks whether the resource has been allocated and what the resulting attributes - are. - - Attributes: - allocation: Allocation is set by the resource driver once a resource or set of resources has been - allocated successfully. If this is not specified, the resources have not been allocated yet. - deallocationRequested: DeallocationRequested indicates that a ResourceClaim is to be deallocated. The - driver then must deallocate this claim and reset the field together with clearing the Allocation - field. While DeallocationRequested is set, no new consumers may be added to ReservedFor. - driverName: DriverName is a copy of the driver name from the ResourceClass at the time when allocation - started. - reservedFor: ReservedFor indicates which entities are currently allowed to use the claim. A Pod which - references a ResourceClaim which is not reserved for that Pod will not be started. There can be - at most 32 such reservations. This may get increased in the future, but not reduced. - - """ - - allocation: Optional[AllocationResult] = None - deallocationRequested: Optional[bool] = None - driverName: Optional[str] = None - reservedFor: Optional[List[ResourceClaimConsumerReference]] = None - - -@dataclass -class ResourceClaimTemplate(K8sResource): - """ResourceClaimTemplate is used to produce ResourceClaim objects. - - Attributes: - apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers - should convert recognized schemas to the latest internal value, and may reject unrecognized - values. - kind: Kind is a string value representing the REST resource this object represents. Servers may infer - this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. - metadata: Standard object metadata - spec: Describes the ResourceClaim that is to be generated. This field is immutable. A ResourceClaim - will get created by the control plane for a Pod when needed and then not get updated anymore. - - """ - - spec: ResourceClaimTemplateSpec - apiVersion: Literal['resource.k8s.io/v1alpha2'] = 'resource.k8s.io/v1alpha2' - kind: Literal['ResourceClaimTemplate'] = 'ResourceClaimTemplate' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None - - -@dataclass -class ResourceClaimTemplateSpec(K8sSpec): - """ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim. - - Attributes: - metadata: ObjectMeta may contain labels and annotations that will be copied into the PVC when creating - it. No other fields are allowed and will be rejected during validation. - spec: Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that - gets created from this template. The same fields as in a ResourceClaim are also valid here. - - """ - - spec: ResourceClaimSpec - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None - - -@dataclass -class ResourceClass(K8sResource): - """ResourceClass is used by administrators to influence how resources are allocated. This is an alpha - type and requires enabling the DynamicResourceAllocation feature gate. - - Attributes: - apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers - should convert recognized schemas to the latest internal value, and may reject unrecognized - values. - driverName: DriverName defines the name of the dynamic resource driver that is used for allocation of - a ResourceClaim that uses this class. Resource drivers have a unique name in forward domain order - (acme.example.com). - kind: Kind is a string value representing the REST resource this object represents. Servers may infer - this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. - metadata: Standard object metadata - parametersRef: ParametersRef references an arbitrary separate object that may hold parameters that - will be used by the driver when allocating a resource that uses this class. A dynamic resource - driver can distinguish between parameters stored here and and those stored in ResourceClaimSpec. - suitableNodes: Only nodes matching the selector will be considered by the scheduler when trying to - find a Node that fits a Pod when that Pod uses a ResourceClaim that has not been allocated yet. - Setting this field is optional. If null, all nodes are candidates. - - """ - - driverName: str - apiVersion: Literal['resource.k8s.io/v1alpha2'] = 'resource.k8s.io/v1alpha2' - kind: Literal['ResourceClass'] = 'ResourceClass' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None - parametersRef: Optional[ResourceClassParametersReference] = None - suitableNodes: Optional[gybe.k8s.v1_29.core.v1.NodeSelector] = None - - -@dataclass -class ResourceClassParametersReference(K8sSpec): - """ResourceClassParametersReference contains enough information to let you locate the parameters for a - ResourceClass. - - Attributes: - apiGroup: APIGroup is the group for the resource being referenced. It is empty for the core API. This - matches the group in the APIVersion that is used when creating the resources. - kind: Kind is the type of resource being referenced. This is the same value as in the parameter - object's metadata. - name: Name is the name of resource being referenced. - namespace: Namespace that contains the referenced resource. Must be empty for cluster-scoped resources - and non-empty for namespaced resources. - - """ - - kind: str - name: str - apiGroup: Optional[str] = None - namespace: Optional[str] = None - - -@dataclass -class ResourceHandle(K8sSpec): - """ResourceHandle holds opaque resource data for processing by a specific kubelet plugin. - - Attributes: - data: Data contains the opaque data associated with this ResourceHandle. It is set by the controller - component of the resource driver whose name matches the DriverName set in the ResourceClaimStatus - this ResourceHandle is embedded in. It is set at allocation time and is intended for processing by - the kubelet plugin whose name matches the DriverName set in this ResourceHandle. The maximum size - of this field is 16KiB. This may get increased in the future, but not reduced. - driverName: DriverName specifies the name of the resource driver whose kubelet plugin should be - invoked to process this ResourceHandle's data once it lands on a node. This may differ from the - DriverName set in ResourceClaimStatus this ResourceHandle is embedded in. - - """ - - data: Optional[str] = None - driverName: Optional[str] = None diff --git a/gybe/k8s/v1_29/__init__.py b/gybe/k8s/v1_33/__init__.py similarity index 100% rename from gybe/k8s/v1_29/__init__.py rename to gybe/k8s/v1_33/__init__.py diff --git a/tests/data/codegen-outputs/gybe/k8s/v1_29/admissionregistration/v1beta1.py b/gybe/k8s/v1_33/admissionregistration/v1.py similarity index 55% rename from tests/data/codegen-outputs/gybe/k8s/v1_29/admissionregistration/v1beta1.py rename to gybe/k8s/v1_33/admissionregistration/v1.py index 2a04c8e..a733403 100644 --- a/tests/data/codegen-outputs/gybe/k8s/v1_29/admissionregistration/v1beta1.py +++ b/gybe/k8s/v1_33/admissionregistration/v1.py @@ -1,14 +1,18 @@ """Models generated from Kubernetes OpenAPI Spec.""" + from __future__ import annotations -from typing import List, Optional, Literal + from dataclasses import dataclass -from gybe.k8s.types import JSONObj, JSONDict, K8sSpec, K8sResource -import gybe.k8s.v1_29.meta.v1 +from typing import List, Literal, Optional + +import gybe.k8s.v1_33.meta.v1 +from gybe.k8s.types import K8sResource, K8sSpec + @dataclass class AuditAnnotation(K8sSpec): - """ - AuditAnnotation describes how to produce an audit annotation for an API request. + """AuditAnnotation describes how to produce an audit annotation for an API request. + Attributes: key: key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 @@ -28,14 +32,16 @@ class AuditAnnotation(K8sSpec): unique values produced by the valueExpressions will be joined together in a comma-separated list. Required. -""" + """ + key: str valueExpression: str + @dataclass class ExpressionWarning(K8sSpec): - """ - ExpressionWarning is a warning information that targets a specific expression. + """ExpressionWarning is a warning information that targets a specific expression. + Attributes: fieldRef: The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is 'spec.validations[0].expression' @@ -43,14 +49,16 @@ class ExpressionWarning(K8sSpec): contains the type that the expression is checked against, followed by the type check error from the compiler. -""" + """ + fieldRef: str warning: str + @dataclass class MatchCondition(K8sSpec): - """ - MatchCondition represents a condition which must be fulfilled for a request to be sent to a webhook. + """MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. + Attributes: expression: Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, @@ -69,16 +77,18 @@ class MatchCondition(K8sSpec): or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') Required. -""" + """ + name: str expression: str + @dataclass class MatchResources(K8sSpec): - """ - MatchResources decides whether to run the admission control policy on an object based on whether it + """MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded) + Attributes: excludeResourceRules: ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over @@ -117,17 +127,138 @@ class MatchResources(K8sSpec): resourceRules: ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule. -""" + """ + excludeResourceRules: Optional[List[NamedRuleWithOperations]] = None matchPolicy: Optional[str] = None - namespaceSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None - objectSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + namespaceSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None + objectSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None resourceRules: Optional[List[NamedRuleWithOperations]] = None + @dataclass -class NamedRuleWithOperations(K8sSpec): +class MutatingWebhook(K8sSpec): + """MutatingWebhook describes an admission webhook and the resources and operations it applies to. + + Attributes: + admissionReviewVersions: AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` + versions the Webhook expects. API server will try to use first version in the list which it + supports. If none of the versions specified in this list supported by API server, validation will + fail for this object. If a persisted webhook configuration specifies allowed versions and does not + include any versions known to the API Server, calls to the webhook will fail and be subject to the + failure policy. + clientConfig: ClientConfig defines how to communicate with the hook. Required + failurePolicy: FailurePolicy defines how unrecognized errors from the admission endpoint are handled - + allowed values are Ignore or Fail. Defaults to Fail. + matchConditions: MatchConditions is a list of conditions that must be met for a request to be sent to + this webhook. Match conditions filter requests that have already been matched by the rules, + namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + There are a maximum of 64 match conditions allowed. The exact matching logic is (in order): 1. + If ANY matchCondition evaluates to FALSE, the webhook is skipped. 2. If ALL matchConditions + evaluate to TRUE, the webhook is called. 3. If any matchCondition evaluates to an error (but + none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, + the error is ignored and the webhook is skipped + matchPolicy: matchPolicy defines how the 'rules' list is used to match incoming requests. Allowed + values are 'Exact' or 'Equivalent'. - Exact: match a request only if it exactly matches a + specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and + extensions/v1beta1, but 'rules' only included `apiGroups:['apps'], apiVersions:['v1'], resources: + ['deployments']`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the + webhook. - Equivalent: match a request if modifies a resource listed in rules, even via another + API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and + extensions/v1beta1, and 'rules' only included `apiGroups:['apps'], apiVersions:['v1'], resources: + ['deployments']`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 + and sent to the webhook. Defaults to 'Equivalent' + name: The name of the admission webhook. Name should be fully qualified, e.g., + imagepolicy.kubernetes.io, where 'imagepolicy' is the name of the webhook, and kubernetes.io is + the name of the organization. Required. + namespaceSelector: NamespaceSelector decides whether to run the webhook on an object based on whether + the namespace for that object matches the selector. If the object itself is a namespace, the + matching is performed on object.metadata.labels. If the object is another cluster scoped resource, + it never skips the webhook. For example, to run the webhook on any objects whose namespace is not + associated with 'runlevel' of '0' or '1'; you will set the selector as follows: + 'namespaceSelector': { 'matchExpressions': [ { 'key': 'runlevel', 'operator': + 'NotIn', 'values': [ '0', '1' ] } ] } If instead you want to + only run the webhook on any objects whose namespace is associated with the 'environment' of 'prod' + or 'staging'; you will set the selector as follows: 'namespaceSelector': { 'matchExpressions': [ + { 'key': 'environment', 'operator': 'In', 'values': [ 'prod', + 'staging' ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with- + objects/labels/ for more examples of label selectors. Default to the empty LabelSelector, which + matches everything. + objectSelector: ObjectSelector decides whether to run the webhook based on if the object has matching + labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to + the webhook, and is considered to match if either object matches the selector. A null object + (oldObject in the case of create, or newObject in the case of delete) or an object that cannot + have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. + Use the object selector only if the webhook is opt-in, because end users may skip the admission + webhook by setting the labels. Default to the empty LabelSelector, which matches everything. + reinvocationPolicy: reinvocationPolicy indicates whether this webhook should be called multiple times + as part of a single admission evaluation. Allowed values are 'Never' and 'IfNeeded'. Never: the + webhook will not be called more than once in a single admission evaluation. IfNeeded: the webhook + will be called at least one additional time as part of the admission evaluation if the object + being admitted is modified by other admission plugins after the initial webhook call. Webhooks + that specify this option *must* be idempotent, able to process objects they previously admitted. + Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional + invocations result in further modifications to the object, webhooks are not guaranteed to be + invoked again. * webhooks that use this option may be reordered to minimize the number of + additional invocations. * to validate an object after all mutations are guaranteed complete, use a + validating admission webhook instead. Defaults to 'Never'. + rules: Rules describes what operations on what resources/subresources the webhook cares about. The + webhook cares about an operation if it matches _any_ Rule. However, in order to prevent + ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state + which cannot be recovered from without completely disabling the plugin, + ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests + for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. + sideEffects: SideEffects states whether this webhook has side effects. Acceptable values are: None, + NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side + effects MUST implement a reconciliation system, since a request may be rejected by a future step + in the admission chain and the side effects therefore need to be undone. Requests with the dryRun + attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. + timeoutSeconds: TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the + webhook call will be ignored or the API call will fail based on the failure policy. The timeout + value must be between 1 and 30 seconds. Default to 10 seconds. + """ - NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames. + + name: str + clientConfig: WebhookClientConfig + sideEffects: str + admissionReviewVersions: List[str] + failurePolicy: Optional[str] = None + matchConditions: Optional[List[MatchCondition]] = None + matchPolicy: Optional[str] = None + namespaceSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None + objectSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None + reinvocationPolicy: Optional[str] = None + rules: Optional[List[RuleWithOperations]] = None + timeoutSeconds: Optional[int] = None + + +@dataclass +class MutatingWebhookConfiguration(K8sResource): + """MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or + reject and may change the object. + + Attributes: + apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers + should convert recognized schemas to the latest internal value, and may reject unrecognized + values. + kind: Kind is a string value representing the REST resource this object represents. Servers may infer + this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. + metadata: Standard object metadata; + webhooks: Webhooks is a list of webhooks and the affected resources and operations. + + """ + + apiVersion: Literal['admissionregistration.k8s.io/v1'] = 'admissionregistration.k8s.io/v1' + kind: Literal['MutatingWebhookConfiguration'] = 'MutatingWebhookConfiguration' + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None + webhooks: Optional[List[MutatingWebhook]] = None + + +@dataclass +class NamedRuleWithOperations(K8sSpec): + """NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames. + Attributes: apiGroups: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. @@ -150,7 +281,8 @@ class NamedRuleWithOperations(K8sSpec): that there are no scope restrictions. Subresources match the scope of their parent resource. Default is '*'. -""" + """ + apiGroups: Optional[List[str]] = None apiVersions: Optional[List[str]] = None operations: Optional[List[str]] = None @@ -158,24 +290,27 @@ class NamedRuleWithOperations(K8sSpec): resources: Optional[List[str]] = None scope: Optional[str] = None + @dataclass class ParamKind(K8sSpec): - """ - ParamKind is a tuple of Group Kind and Version. + """ParamKind is a tuple of Group Kind and Version. + Attributes: apiVersion: APIVersion is the API group version the resources belong to. In format of 'group/version'. Required. kind: Kind is the API kind the resources belong to. Required. -""" + """ + apiVersion: Optional[str] = None kind: Optional[str] = None + @dataclass class ParamRef(K8sSpec): - """ - ParamRef describes how to locate the params to be used as input to expressions of rules applied by a + """ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding. + Attributes: name: name is the name of the resource being referenced. One of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. @@ -200,27 +335,82 @@ class ParamRef(K8sSpec): be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset. -""" + """ + name: Optional[str] = None namespace: Optional[str] = None parameterNotFoundAction: Optional[str] = None - selector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + selector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None + @dataclass -class TypeChecking(K8sSpec): +class RuleWithOperations(K8sSpec): + """RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the + tuple expansions are valid. + + Attributes: + apiGroups: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, + the length of the slice must be one. Required. + apiVersions: APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is + present, the length of the slice must be one. Required. + operations: Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, + CONNECT or * for all of those operations and any future admission operations that are added. If + '*' is present, the length of the slice must be one. Required. + resources: Resources is a list of resources this rule applies to. For example: 'pods' means pods. + 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all + resources and their subresources. If wildcard is present, the validation rule will ensure + resources do not overlap with each other. Depending on the enclosing object, subresources might + not be allowed. Required. + scope: scope specifies the scope of this rule. Valid values are 'Cluster', 'Namespaced', and '*' + 'Cluster' means that only cluster-scoped resources will match this rule. Namespace API objects are + cluster-scoped. 'Namespaced' means that only namespaced resources will match this rule. '*' means + that there are no scope restrictions. Subresources match the scope of their parent resource. + Default is '*'. + + """ + + apiGroups: Optional[List[str]] = None + apiVersions: Optional[List[str]] = None + operations: Optional[List[str]] = None + resources: Optional[List[str]] = None + scope: Optional[str] = None + + +@dataclass +class ServiceReference(K8sSpec): + """ServiceReference holds a reference to Service.legacy.k8s.io + Attributes: + name: `name` is the name of the service. Required + namespace: `namespace` is the namespace of the service. Required + path: `path` is an optional URL path which will be sent in any request to this service. + port: If specified, the port on the service that hosting webhook. Default to 443 for backward + compatibility. `port` should be a valid port number (1-65535, inclusive). + """ - TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy + + namespace: str + name: str + path: Optional[str] = None + port: Optional[int] = None + + +@dataclass +class TypeChecking(K8sSpec): + """TypeChecking contains results of type checking the expressions in the ValidatingAdmissionPolicy Attributes: expressionWarnings: The type checking warnings for each expression. -""" + """ + expressionWarnings: Optional[List[ExpressionWarning]] = None + @dataclass class ValidatingAdmissionPolicy(K8sResource): - """ - ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or + """ValidatingAdmissionPolicy describes the definition of an admission validation policy that accepts or rejects an object without changing it. + Attributes: apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized @@ -232,17 +422,18 @@ class ValidatingAdmissionPolicy(K8sResource): status: The status of the ValidatingAdmissionPolicy, including warnings that are useful to determine if the policy behaves in the expected way. Populated by the system. Read-only. -""" - apiVersion: Literal['admissionregistration.k8s.io/v1beta1'] = 'admissionregistration.k8s.io/v1beta1' + """ + + apiVersion: Literal['admissionregistration.k8s.io/v1'] = 'admissionregistration.k8s.io/v1' kind: Literal['ValidatingAdmissionPolicy'] = 'ValidatingAdmissionPolicy' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[ValidatingAdmissionPolicySpec] = None status: Optional[ValidatingAdmissionPolicyStatus] = None + @dataclass class ValidatingAdmissionPolicyBinding(K8sResource): - """ - ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. + """ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters. For a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the @@ -250,6 +441,7 @@ class ValidatingAdmissionPolicyBinding(K8sResource): CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget. + Attributes: apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized @@ -259,16 +451,18 @@ class ValidatingAdmissionPolicyBinding(K8sResource): metadata: Standard object metadata; spec: Specification of the desired behavior of the ValidatingAdmissionPolicyBinding. -""" - apiVersion: Literal['admissionregistration.k8s.io/v1beta1'] = 'admissionregistration.k8s.io/v1beta1' + """ + + apiVersion: Literal['admissionregistration.k8s.io/v1'] = 'admissionregistration.k8s.io/v1' kind: Literal['ValidatingAdmissionPolicyBinding'] = 'ValidatingAdmissionPolicyBinding' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[ValidatingAdmissionPolicyBindingSpec] = None + @dataclass class ValidatingAdmissionPolicyBindingSpec(K8sSpec): - """ - ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding. + """ValidatingAdmissionPolicyBindingSpec is the specification of the ValidatingAdmissionPolicyBinding. + Attributes: matchResources: MatchResources declares what resources match this binding and will be validated by it. Note that this is intersected with the policy's matchConstraints, so only requests that are @@ -305,21 +499,24 @@ class ValidatingAdmissionPolicyBindingSpec(K8sSpec): ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `'validation.policy.admission.k8s.io/validation_failure': '[{'message': 'Invalid value', {'policy': 'policy.example.com', {'binding': - 'policybinding.example.com', {'expressionIndex': '1', {'validationActions': ['Audit']}]'` Clients - should expect to handle additional values by ignoring any values not recognized. 'Deny' and - 'Warn' may not be used together since this combination needlessly duplicates the validation - failure both in the API response body and the HTTP warning headers. Required. + 'policybinding.example.com', {'expressionIndex': '1', {'validationActions': + ['Audit']}]'` Clients should expect to handle additional values by ignoring any values not + recognized. 'Deny' and 'Warn' may not be used together since this combination needlessly + duplicates the validation failure both in the API response body and the HTTP warning headers. + Required. + + """ -""" matchResources: Optional[MatchResources] = None paramRef: Optional[ParamRef] = None policyName: Optional[str] = None validationActions: Optional[List[str]] = None + @dataclass class ValidatingAdmissionPolicySpec(K8sSpec): - """ - ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy. + """ValidatingAdmissionPolicySpec is the specification of the desired behavior of the AdmissionPolicy. + Attributes: auditAnnotations: auditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request. validations and auditAnnotations may not both @@ -360,7 +557,8 @@ class ValidatingAdmissionPolicySpec(K8sSpec): refer to other variables defined earlier in the list but not those after. Thus, Variables must be sorted by the order of first appearance and acyclic. -""" + """ + auditAnnotations: Optional[List[AuditAnnotation]] = None failurePolicy: Optional[str] = None matchConditions: Optional[List[MatchCondition]] = None @@ -369,25 +567,135 @@ class ValidatingAdmissionPolicySpec(K8sSpec): validations: Optional[List[Validation]] = None variables: Optional[List[Variable]] = None + @dataclass class ValidatingAdmissionPolicyStatus(K8sSpec): - """ - ValidatingAdmissionPolicyStatus represents the status of an admission validation policy. + """ValidatingAdmissionPolicyStatus represents the status of an admission validation policy. + Attributes: conditions: The conditions represent the latest available observations of a policy's current state. observedGeneration: The generation observed by the controller. typeChecking: The results of type checking for each expression. Presence of this field indicates the completion of the type checking. -""" - conditions: Optional[List[gybe.k8s.v1_29.meta.v1.Condition]] = None + """ + + conditions: Optional[List[gybe.k8s.v1_33.meta.v1.Condition]] = None observedGeneration: Optional[int] = None typeChecking: Optional[TypeChecking] = None + @dataclass -class Validation(K8sSpec): +class ValidatingWebhook(K8sSpec): + """ValidatingWebhook describes an admission webhook and the resources and operations it applies to. + + Attributes: + admissionReviewVersions: AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` + versions the Webhook expects. API server will try to use first version in the list which it + supports. If none of the versions specified in this list supported by API server, validation will + fail for this object. If a persisted webhook configuration specifies allowed versions and does not + include any versions known to the API Server, calls to the webhook will fail and be subject to the + failure policy. + clientConfig: ClientConfig defines how to communicate with the hook. Required + failurePolicy: FailurePolicy defines how unrecognized errors from the admission endpoint are handled - + allowed values are Ignore or Fail. Defaults to Fail. + matchConditions: MatchConditions is a list of conditions that must be met for a request to be sent to + this webhook. Match conditions filter requests that have already been matched by the rules, + namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. + There are a maximum of 64 match conditions allowed. The exact matching logic is (in order): 1. + If ANY matchCondition evaluates to FALSE, the webhook is skipped. 2. If ALL matchConditions + evaluate to TRUE, the webhook is called. 3. If any matchCondition evaluates to an error (but + none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, + the error is ignored and the webhook is skipped + matchPolicy: matchPolicy defines how the 'rules' list is used to match incoming requests. Allowed + values are 'Exact' or 'Equivalent'. - Exact: match a request only if it exactly matches a + specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and + extensions/v1beta1, but 'rules' only included `apiGroups:['apps'], apiVersions:['v1'], resources: + ['deployments']`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the + webhook. - Equivalent: match a request if modifies a resource listed in rules, even via another + API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and + extensions/v1beta1, and 'rules' only included `apiGroups:['apps'], apiVersions:['v1'], resources: + ['deployments']`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 + and sent to the webhook. Defaults to 'Equivalent' + name: The name of the admission webhook. Name should be fully qualified, e.g., + imagepolicy.kubernetes.io, where 'imagepolicy' is the name of the webhook, and kubernetes.io is + the name of the organization. Required. + namespaceSelector: NamespaceSelector decides whether to run the webhook on an object based on whether + the namespace for that object matches the selector. If the object itself is a namespace, the + matching is performed on object.metadata.labels. If the object is another cluster scoped resource, + it never skips the webhook. For example, to run the webhook on any objects whose namespace is not + associated with 'runlevel' of '0' or '1'; you will set the selector as follows: + 'namespaceSelector': { 'matchExpressions': [ { 'key': 'runlevel', 'operator': + 'NotIn', 'values': [ '0', '1' ] } ] } If instead you want to + only run the webhook on any objects whose namespace is associated with the 'environment' of 'prod' + or 'staging'; you will set the selector as follows: 'namespaceSelector': { 'matchExpressions': [ + { 'key': 'environment', 'operator': 'In', 'values': [ 'prod', + 'staging' ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with- + objects/labels for more examples of label selectors. Default to the empty LabelSelector, which + matches everything. + objectSelector: ObjectSelector decides whether to run the webhook based on if the object has matching + labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to + the webhook, and is considered to match if either object matches the selector. A null object + (oldObject in the case of create, or newObject in the case of delete) or an object that cannot + have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. + Use the object selector only if the webhook is opt-in, because end users may skip the admission + webhook by setting the labels. Default to the empty LabelSelector, which matches everything. + rules: Rules describes what operations on what resources/subresources the webhook cares about. The + webhook cares about an operation if it matches _any_ Rule. However, in order to prevent + ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state + which cannot be recovered from without completely disabling the plugin, + ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests + for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. + sideEffects: SideEffects states whether this webhook has side effects. Acceptable values are: None, + NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side + effects MUST implement a reconciliation system, since a request may be rejected by a future step + in the admission chain and the side effects therefore need to be undone. Requests with the dryRun + attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. + timeoutSeconds: TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the + webhook call will be ignored or the API call will fail based on the failure policy. The timeout + value must be between 1 and 30 seconds. Default to 10 seconds. + """ - Validation specifies the CEL expression which is used to apply the validation. + + name: str + clientConfig: WebhookClientConfig + sideEffects: str + admissionReviewVersions: List[str] + failurePolicy: Optional[str] = None + matchConditions: Optional[List[MatchCondition]] = None + matchPolicy: Optional[str] = None + namespaceSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None + objectSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None + rules: Optional[List[RuleWithOperations]] = None + timeoutSeconds: Optional[int] = None + + +@dataclass +class ValidatingWebhookConfiguration(K8sResource): + """ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or + reject and object without changing it. + + Attributes: + apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers + should convert recognized schemas to the latest internal value, and may reject unrecognized + values. + kind: Kind is a string value representing the REST resource this object represents. Servers may infer + this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. + metadata: Standard object metadata; + webhooks: Webhooks is a list of webhooks and the affected resources and operations. + + """ + + apiVersion: Literal['admissionregistration.k8s.io/v1'] = 'admissionregistration.k8s.io/v1' + kind: Literal['ValidatingWebhookConfiguration'] = 'ValidatingWebhookConfiguration' + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None + webhooks: Optional[List[ValidatingWebhook]] = None + + +@dataclass +class Validation(K8sSpec): + """Validation specifies the CEL expression which is used to apply the validation. + Attributes: expression: Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API @@ -444,17 +752,19 @@ class Validation(K8sSpec): 'Unauthorized', 'Forbidden', 'Invalid', 'RequestEntityTooLarge'. If not set, StatusReasonInvalid is used in the response to the client. -""" + """ + expression: str message: Optional[str] = None messageExpression: Optional[str] = None reason: Optional[str] = None + @dataclass class Variable(K8sSpec): - """ - Variable is the definition of a variable that is used for composition. A variable is defined as a + """Variable is the definition of a variable that is used for composition. A variable is defined as a named expression. + Attributes: expression: Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation. @@ -462,6 +772,35 @@ class Variable(K8sSpec): variables. The variable can be accessed in other expressions through `variables` For example, if name is 'foo', the variable will be available as `variables.foo` -""" + """ + name: str - expression: str \ No newline at end of file + expression: str + + +@dataclass +class WebhookClientConfig(K8sSpec): + """WebhookClientConfig contains the information to make a TLS connection with the webhook + Attributes: + caBundle: `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server + certificate. If unspecified, system trust roots on the apiserver are used. + service: `service` is a reference to the service for this webhook. Either `service` or `url` must be + specified. If the webhook is running within the cluster, then you should use `service`. + url: `url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). + Exactly one of `url` or `service` must be specified. The `host` should not refer to a service + running in the cluster; use the `service` field instead. The host might be resolved via external + DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a + layering violation). `host` may also be an IP address. Please note that using `localhost` or + `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which + run an apiserver which might need to make calls to this webhook. Such installs are likely to be + non-portable, i.e., not easy to turn up in a new cluster. The scheme must be 'https'; the URL + must begin with 'https://'. A path is optional, and if present may be any string permissible in a + URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster + identifier. Attempting to use a user or basic auth e.g. 'user:password@' is not allowed. + Fragments ('#...') and query parameters ('?...') are not allowed, either. + + """ + + caBundle: Optional[str] = None + service: Optional[ServiceReference] = None + url: Optional[str] = None diff --git a/gybe/k8s/v1_33/admissionregistration/v1alpha1.py b/gybe/k8s/v1_33/admissionregistration/v1alpha1.py new file mode 100644 index 0000000..f9c21b2 --- /dev/null +++ b/gybe/k8s/v1_33/admissionregistration/v1alpha1.py @@ -0,0 +1,440 @@ +"""Models generated from Kubernetes OpenAPI Spec.""" + +from __future__ import annotations + +from dataclasses import dataclass +from typing import List, Literal, Optional + +import gybe.k8s.v1_33.meta.v1 +from gybe.k8s.types import K8sResource, K8sSpec + + +@dataclass +class ApplyConfiguration(K8sSpec): + """ApplyConfiguration defines the desired configuration values of an object. + + Attributes: + expression: expression will be evaluated by CEL to create an apply configuration. ref: + https://github.com/google/cel-spec Apply configurations are declared in CEL using object + initialization. For example, this CEL expression returns an apply configuration to set a single + field: Object{ spec: Object.spec{ serviceAccountName: 'example' + } } Apply configurations may not modify atomic structs, maps or arrays due to the risk of + accidental deletion of values not included in the apply configuration. CEL expressions have + access to the object types needed to create apply configurations: - 'Object' - CEL type of the + resource object. - 'Object.' - CEL type of object field (such as 'Object.spec') - + 'Object.....` - CEL type of nested field (such as + 'Object.spec.containers') CEL expressions have access to the contents of the API request, + organized into CEL variables as well as some other useful variables: - 'object' - The object from + the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. + The value is null for CREATE requests. - 'request' - Attributes of the API + request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource + referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - + 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null + for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its + lazily evaluated value. For example, a variable named 'foo' can be accessed as 'variables.foo'. + - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal + (user or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL + ResourceCheck constructed from the 'authorizer' and configured with the request resource. The + `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the + root of the object. No other metadata properties are accessible. Only property names of the form + `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required. + + """ + + expression: Optional[str] = None + + +@dataclass +class JSONPatch(K8sSpec): + """JSONPatch defines a JSON Patch. + + Attributes: + expression: expression will be evaluated by CEL to create a [JSON patch](https://jsonpatch.com/). ref: + https://github.com/google/cel-spec expression must return an array of JSONPatch values. For + example, this CEL expression returns a JSON patch to conditionally modify a value: [ + JSONPatch{op: 'test', path: '/spec/example', value: 'Red'}, JSONPatch{op: 'replace', + path: '/spec/example', value: 'Green'} ] To define an object for the patch value, use + Object types. For example: [ JSONPatch{ op: 'add', + path: '/spec/selector', value: Object.spec.selector{matchLabels: {'environment': + 'test'}} } ] To use strings containing '/' and '~' as JSONPatch path keys, + use 'jsonpatch.escapeKey'. For example: [ JSONPatch{ op: + 'add', path: '/metadata/labels/' + jsonpatch.escapeKey('example.com/environment'), + value: 'test' }, ] CEL expressions have access to the types needed to + create JSON patches and objects: - 'JSONPatch' - CEL type of JSON Patch operations. JSONPatch has + the fields 'op', 'from', 'path' and 'value'. See [JSON patch](https://jsonpatch.com/) for more + details. The 'value' field may be set to any of: string, integer, array, map or object. If set, + the 'path' and 'from' fields must be set to a [JSON + pointer](https://datatracker.ietf.org/doc/html/rfc6901/) string, where the 'jsonpatch.escapeKey()' + CEL function may be used to escape path keys containing '/' and '~'. - 'Object' - CEL type of + the resource object. - 'Object.' - CEL type of object field (such as 'Object.spec') - + 'Object.....` - CEL type of nested field (such as + 'Object.spec.containers') CEL expressions have access to the contents of the API request, + organized into CEL variables as well as some other useful variables: - 'object' - The object from + the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. + The value is null for CREATE requests. - 'request' - Attributes of the API + request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource + referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - + 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null + for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its + lazily evaluated value. For example, a variable named 'foo' can be accessed as 'variables.foo'. + - 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal + (user or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL + ResourceCheck constructed from the 'authorizer' and configured with the request resource. CEL + expressions have access to [Kubernetes CEL function + libraries](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and- + libraries) as well as: - 'jsonpatch.escapeKey' - Performs JSONPatch key escaping. '~' and '/' + are escaped as '~0' and `~1' respectively). Only property names of the form `[a-zA- + Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Required. + + """ + + expression: Optional[str] = None + + +@dataclass +class MatchCondition(K8sSpec): + """Schema model io.k8s.api.admissionregistration.v1alpha1.MatchCondition. + + Attributes: + expression: Expression represents the expression which will be evaluated by CEL. Must evaluate to + bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, + organized into CEL variables: 'object' - The object from the incoming request. The value is null + for DELETE requests. 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal + (user or service account) of the request. See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz 'authorizer.requestResource' - A CEL + ResourceCheck constructed from the 'authorizer' and configured with the request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ Required. + name: Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of the + associated expression. Name must be a qualified name consisting of alphanumeric characters, '-', + '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', + or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') Required. + + """ + + name: str + expression: str + + +@dataclass +class MatchResources(K8sSpec): + """MatchResources decides whether to run the admission control policy on an object based on whether it + meets the match criteria. The exclude rules take precedence over include rules (if a resource matches + both, it is excluded) + + Attributes: + excludeResourceRules: ExcludeResourceRules describes what operations on what resources/subresources + the policy should not care about. The exclude rules take precedence over include rules (if a + resource matches both, it is excluded) + matchPolicy: matchPolicy defines how the 'MatchResources' list is used to match incoming requests. + Allowed values are 'Exact' or 'Equivalent'. - Exact: match a request only if it exactly matches a + specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and + extensions/v1beta1, but 'rules' only included `apiGroups:['apps'], apiVersions:['v1'], resources: + ['deployments']`, the admission policy does not consider requests to apps/v1beta1 or + extensions/v1beta1 API groups. - Equivalent: match a request if modifies a resource listed in + rules, even via another API group or version. For example, if deployments can be modified via + apps/v1, apps/v1beta1, and extensions/v1beta1, and 'rules' only included `apiGroups:['apps'], + apiVersions:['v1'], resources: ['deployments']`, the admission policy **does** consider requests + made to apps/v1beta1 or extensions/v1beta1 API groups. The API server translates the request to a + matched resource API if necessary. Defaults to 'Equivalent' + namespaceSelector: NamespaceSelector decides whether to run the admission control policy on an object + based on whether the namespace for that object matches the selector. If the object itself is a + namespace, the matching is performed on object.metadata.labels. If the object is another cluster + scoped resource, it never skips the policy. For example, to run the webhook on any objects whose + namespace is not associated with 'runlevel' of '0' or '1'; you will set the selector as follows: + 'namespaceSelector': { 'matchExpressions': [ { 'key': 'runlevel', 'operator': + 'NotIn', 'values': [ '0', '1' ] } ] } If instead you want to + only run the policy on any objects whose namespace is associated with the 'environment' of 'prod' + or 'staging'; you will set the selector as follows: 'namespaceSelector': { 'matchExpressions': [ + { 'key': 'environment', 'operator': 'In', 'values': [ 'prod', + 'staging' ] } ] } See https://kubernetes.io/docs/concepts/overview/working-with- + objects/labels/ for more examples of label selectors. Default to the empty LabelSelector, which + matches everything. + objectSelector: ObjectSelector decides whether to run the policy based on if the object has matching + labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to + the policy's expression (CEL), and is considered to match if either object matches the selector. A + null object (oldObject in the case of create, or newObject in the case of delete) or an object + that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered + to match. Use the object selector only if the webhook is opt-in, because end users may skip the + admission webhook by setting the labels. Default to the empty LabelSelector, which matches + everything. + resourceRules: ResourceRules describes what operations on what resources/subresources the admission + policy matches. The policy cares about an operation if it matches _any_ Rule. + + """ + + excludeResourceRules: Optional[List[NamedRuleWithOperations]] = None + matchPolicy: Optional[str] = None + namespaceSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None + objectSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None + resourceRules: Optional[List[NamedRuleWithOperations]] = None + + +@dataclass +class MutatingAdmissionPolicy(K8sResource): + """MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the + object coming into admission chain. + + Attributes: + apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers + should convert recognized schemas to the latest internal value, and may reject unrecognized + values. + kind: Kind is a string value representing the REST resource this object represents. Servers may infer + this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. + metadata: Standard object metadata; + spec: Specification of the desired behavior of the MutatingAdmissionPolicy. + + """ + + apiVersion: Literal['admissionregistration.k8s.io/v1alpha1'] = 'admissionregistration.k8s.io/v1alpha1' + kind: Literal['MutatingAdmissionPolicy'] = 'MutatingAdmissionPolicy' + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None + spec: Optional[MutatingAdmissionPolicySpec] = None + + +@dataclass +class MutatingAdmissionPolicyBinding(K8sResource): + """MutatingAdmissionPolicyBinding binds the MutatingAdmissionPolicy with parametrized resources. + MutatingAdmissionPolicyBinding and the optional parameter resource together define how cluster + administrators configure policies for clusters. For a given admission request, each binding will + cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, + otherwise N is the number of parameters selected by the binding. Each evaluation is constrained by a + [runtime cost budget](https://kubernetes.io/docs/reference/using-api/cel/#runtime-cost-budget). + Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) + combination is within its own CEL budget. + + Attributes: + apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers + should convert recognized schemas to the latest internal value, and may reject unrecognized + values. + kind: Kind is a string value representing the REST resource this object represents. Servers may infer + this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. + metadata: Standard object metadata; + spec: Specification of the desired behavior of the MutatingAdmissionPolicyBinding. + + """ + + apiVersion: Literal['admissionregistration.k8s.io/v1alpha1'] = 'admissionregistration.k8s.io/v1alpha1' + kind: Literal['MutatingAdmissionPolicyBinding'] = 'MutatingAdmissionPolicyBinding' + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None + spec: Optional[MutatingAdmissionPolicyBindingSpec] = None + + +@dataclass +class MutatingAdmissionPolicyBindingSpec(K8sSpec): + """MutatingAdmissionPolicyBindingSpec is the specification of the MutatingAdmissionPolicyBinding. + + Attributes: + matchResources: matchResources limits what resources match this binding and may be mutated by it. Note + that if matchResources matches a resource, the resource must also match a policy's + matchConstraints and matchConditions before the resource may be mutated. When matchResources is + unset, it does not constrain resource matching, and only the policy's matchConstraints and + matchConditions must match for the resource to be mutated. Additionally, + matchResources.resourceRules are optional and do not constraint matching when unset. Note that + this is differs from MutatingAdmissionPolicy matchConstraints, where resourceRules are required. + The CREATE, UPDATE and CONNECT operations are allowed. The DELETE operation may not be matched. + '*' matches CREATE, UPDATE and CONNECT. + paramRef: paramRef specifies the parameter resource used to configure the admission control policy. It + should point to a resource of the type specified in spec.ParamKind of the bound + MutatingAdmissionPolicy. If the policy specifies a ParamKind and the resource referred to by + ParamRef does not exist, this binding is considered mis-configured and the FailurePolicy of the + MutatingAdmissionPolicy applied. If the policy does not specify a ParamKind then this field is + ignored, and the rules are evaluated without a param. + policyName: policyName references a MutatingAdmissionPolicy name which the + MutatingAdmissionPolicyBinding binds to. If the referenced resource does not exist, this binding + is considered invalid and will be ignored Required. + + """ + + matchResources: Optional[MatchResources] = None + paramRef: Optional[ParamRef] = None + policyName: Optional[str] = None + + +@dataclass +class MutatingAdmissionPolicySpec(K8sSpec): + """MutatingAdmissionPolicySpec is the specification of the desired behavior of the admission policy. + + Attributes: + failurePolicy: failurePolicy defines how to handle failures for the admission policy. Failures can + occur from CEL expression parse errors, type check errors, runtime errors and invalid or mis- + configured policy definitions or bindings. A policy is invalid if paramKind refers to a non- + existent Kind. A binding is invalid if paramRef.name refers to a non-existent resource. + failurePolicy does not define how validations that evaluate to false are handled. Allowed values + are Ignore or Fail. Defaults to Fail. + matchConditions: matchConditions is a list of conditions that must be met for a request to be + validated. Match conditions filter requests that have already been matched by the + matchConstraints. An empty list of matchConditions matches all requests. There are a maximum of 64 + match conditions allowed. If a parameter object is provided, it can be accessed via the `params` + handle in the same manner as validation expressions. The exact matching logic is (in order): 1. + If ANY matchCondition evaluates to FALSE, the policy is skipped. 2. If ALL matchConditions + evaluate to TRUE, the policy is evaluated. 3. If any matchCondition evaluates to an error (but + none are FALSE): - If failurePolicy=Fail, reject the request - If failurePolicy=Ignore, + the policy is skipped + matchConstraints: matchConstraints specifies what resources this policy is designed to validate. The + MutatingAdmissionPolicy cares about a request if it matches _all_ Constraints. However, in order + to prevent clusters from being put into an unstable state that cannot be recovered from via the + API MutatingAdmissionPolicy cannot match MutatingAdmissionPolicy and + MutatingAdmissionPolicyBinding. The CREATE, UPDATE and CONNECT operations are allowed. The DELETE + operation may not be matched. '*' matches CREATE, UPDATE and CONNECT. Required. + mutations: mutations contain operations to perform on matching objects. mutations may not be empty; a + minimum of one mutation is required. mutations are evaluated in order, and are reinvoked according + to the reinvocationPolicy. The mutations of a policy are invoked for each binding of this policy + and reinvocation of mutations occurs on a per binding basis. + paramKind: paramKind specifies the kind of resources used to parameterize this policy. If absent, + there are no parameters for this policy and the param CEL variable will not be provided to + validation expressions. If paramKind refers to a non-existent kind, this policy definition is mis- + configured and the FailurePolicy is applied. If paramKind is specified but paramRef is unset in + MutatingAdmissionPolicyBinding, the params variable will be null. + reinvocationPolicy: reinvocationPolicy indicates whether mutations may be called multiple times per + MutatingAdmissionPolicyBinding as part of a single admission evaluation. Allowed values are + 'Never' and 'IfNeeded'. Never: These mutations will not be called more than once per binding in a + single admission evaluation. IfNeeded: These mutations may be invoked more than once per binding + for a single admission request and there is no guarantee of order with respect to other admission + plugins, admission webhooks, bindings of this policy and admission policies. Mutations are only + reinvoked when mutations change the object after this mutation is invoked. Required. + variables: variables contain definitions of variables that can be used in composition of other + expressions. Each variable is defined as a named CEL expression. The variables defined here will + be available under `variables` in other expressions of the policy except matchConditions because + matchConditions are evaluated before the rest of the policy. The expression of a variable can + refer to other variables defined earlier in the list but not those after. Thus, variables must be + sorted by the order of first appearance and acyclic. + + """ + + failurePolicy: Optional[str] = None + matchConditions: Optional[List[MatchCondition]] = None + matchConstraints: Optional[MatchResources] = None + mutations: Optional[List[Mutation]] = None + paramKind: Optional[ParamKind] = None + reinvocationPolicy: Optional[str] = None + variables: Optional[List[Variable]] = None + + +@dataclass +class Mutation(K8sSpec): + """Mutation specifies the CEL expression which is used to apply the Mutation. + + Attributes: + applyConfiguration: applyConfiguration defines the desired configuration values of an object. The + configuration is applied to the admission object using [structured merge + diff](https://github.com/kubernetes-sigs/structured-merge-diff). A CEL expression is used to + create apply configuration. + jsonPatch: jsonPatch defines a [JSON patch](https://jsonpatch.com/) operation to perform a mutation to + the object. A CEL expression is used to create the JSON patch. + patchType: patchType indicates the patch strategy used. Allowed values are 'ApplyConfiguration' and + 'JSONPatch'. Required. + + """ + + patchType: str + applyConfiguration: Optional[ApplyConfiguration] = None + jsonPatch: Optional[JSONPatch] = None + + +@dataclass +class NamedRuleWithOperations(K8sSpec): + """NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames. + + Attributes: + apiGroups: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, + the length of the slice must be one. Required. + apiVersions: APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is + present, the length of the slice must be one. Required. + operations: Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, + CONNECT or * for all of those operations and any future admission operations that are added. If + '*' is present, the length of the slice must be one. Required. + resourceNames: ResourceNames is an optional white list of names that the rule applies to. An empty + set means that everything is allowed. + resources: Resources is a list of resources this rule applies to. For example: 'pods' means pods. + 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. + 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all + resources and their subresources. If wildcard is present, the validation rule will ensure + resources do not overlap with each other. Depending on the enclosing object, subresources might + not be allowed. Required. + scope: scope specifies the scope of this rule. Valid values are 'Cluster', 'Namespaced', and '*' + 'Cluster' means that only cluster-scoped resources will match this rule. Namespace API objects are + cluster-scoped. 'Namespaced' means that only namespaced resources will match this rule. '*' means + that there are no scope restrictions. Subresources match the scope of their parent resource. + Default is '*'. + + """ + + apiGroups: Optional[List[str]] = None + apiVersions: Optional[List[str]] = None + operations: Optional[List[str]] = None + resourceNames: Optional[List[str]] = None + resources: Optional[List[str]] = None + scope: Optional[str] = None + + +@dataclass +class ParamKind(K8sSpec): + """ParamKind is a tuple of Group Kind and Version. + + Attributes: + apiVersion: APIVersion is the API group version the resources belong to. In format of 'group/version'. + Required. + kind: Kind is the API kind the resources belong to. Required. + + """ + + apiVersion: Optional[str] = None + kind: Optional[str] = None + + +@dataclass +class ParamRef(K8sSpec): + """ParamRef describes how to locate the params to be used as input to expressions of rules applied by a + policy binding. + + Attributes: + name: `name` is the name of the resource being referenced. `name` and `selector` are mutually + exclusive properties. If one is set, the other must be unset. + namespace: namespace is the namespace of the referenced resource. Allows limiting the search for + params to a specific namespace. Applies to both `name` and `selector` fields. A per-namespace + parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this + field empty. - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field + results in a configuration error. - If `paramKind` is namespace-scoped, the namespace of the + object being evaluated for admission will be used when this field is left unset. Take care that if + this is left empty the binding must not match any cluster-scoped resources, which will result in + an error. + parameterNotFoundAction: `parameterNotFoundAction` controls the behavior of the binding when the + resource exists, and name or selector is valid, but there are no parameters matched by the + binding. If the value is set to `Allow`, then no matched parameters will be treated as successful + validation by the binding. If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. Allowed values are `Allow` or `Deny` Default to `Deny` + selector: selector can be used to match multiple param objects based on their labels. Supply selector: + {} to match all resources of the ParamKind. If multiple params are found, they are all evaluated + with the policy expressions and the results are ANDed together. One of `name` or `selector` must + be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must + be unset. + + """ + + name: Optional[str] = None + namespace: Optional[str] = None + parameterNotFoundAction: Optional[str] = None + selector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None + + +@dataclass +class Variable(K8sSpec): + """Variable is the definition of a variable that is used for composition. + + Attributes: + expression: Expression is the expression that will be evaluated as the value of the variable. The CEL + expression has access to the same identifiers as the CEL expressions in Validation. + name: Name is the name of the variable. The name must be a valid CEL identifier and unique among all + variables. The variable can be accessed in other expressions through `variables` For example, if + name is 'foo', the variable will be available as `variables.foo` + + """ + + name: str + expression: str diff --git a/gybe/k8s/v1_29/admissionregistration/v1beta1.py b/gybe/k8s/v1_33/admissionregistration/v1beta1.py similarity index 97% rename from gybe/k8s/v1_29/admissionregistration/v1beta1.py rename to gybe/k8s/v1_33/admissionregistration/v1beta1.py index f21980e..2c6d284 100644 --- a/gybe/k8s/v1_29/admissionregistration/v1beta1.py +++ b/gybe/k8s/v1_33/admissionregistration/v1beta1.py @@ -5,7 +5,7 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import K8sResource, K8sSpec @@ -131,8 +131,8 @@ class MatchResources(K8sSpec): excludeResourceRules: Optional[List[NamedRuleWithOperations]] = None matchPolicy: Optional[str] = None - namespaceSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None - objectSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + namespaceSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None + objectSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None resourceRules: Optional[List[NamedRuleWithOperations]] = None @@ -221,7 +221,7 @@ class ParamRef(K8sSpec): name: Optional[str] = None namespace: Optional[str] = None parameterNotFoundAction: Optional[str] = None - selector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + selector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None @dataclass @@ -255,7 +255,7 @@ class ValidatingAdmissionPolicy(K8sResource): apiVersion: Literal['admissionregistration.k8s.io/v1beta1'] = 'admissionregistration.k8s.io/v1beta1' kind: Literal['ValidatingAdmissionPolicy'] = 'ValidatingAdmissionPolicy' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[ValidatingAdmissionPolicySpec] = None status: Optional[ValidatingAdmissionPolicyStatus] = None @@ -284,7 +284,7 @@ class ValidatingAdmissionPolicyBinding(K8sResource): apiVersion: Literal['admissionregistration.k8s.io/v1beta1'] = 'admissionregistration.k8s.io/v1beta1' kind: Literal['ValidatingAdmissionPolicyBinding'] = 'ValidatingAdmissionPolicyBinding' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[ValidatingAdmissionPolicyBindingSpec] = None @@ -328,10 +328,11 @@ class ValidatingAdmissionPolicyBindingSpec(K8sSpec): ValidatingAdmissionPolicy - validationActions: The enforcement actions enacted for the validation failure Example audit annotation: `'validation.policy.admission.k8s.io/validation_failure': '[{'message': 'Invalid value', {'policy': 'policy.example.com', {'binding': - 'policybinding.example.com', {'expressionIndex': '1', {'validationActions': ['Audit']}]'` Clients - should expect to handle additional values by ignoring any values not recognized. 'Deny' and - 'Warn' may not be used together since this combination needlessly duplicates the validation - failure both in the API response body and the HTTP warning headers. Required. + 'policybinding.example.com', {'expressionIndex': '1', {'validationActions': + ['Audit']}]'` Clients should expect to handle additional values by ignoring any values not + recognized. 'Deny' and 'Warn' may not be used together since this combination needlessly + duplicates the validation failure both in the API response body and the HTTP warning headers. + Required. """ @@ -408,7 +409,7 @@ class ValidatingAdmissionPolicyStatus(K8sSpec): """ - conditions: Optional[List[gybe.k8s.v1_29.meta.v1.Condition]] = None + conditions: Optional[List[gybe.k8s.v1_33.meta.v1.Condition]] = None observedGeneration: Optional[int] = None typeChecking: Optional[TypeChecking] = None diff --git a/gybe/k8s/v1_29/api/resource.py b/gybe/k8s/v1_33/api/resource.py similarity index 100% rename from gybe/k8s/v1_29/api/resource.py rename to gybe/k8s/v1_33/api/resource.py diff --git a/gybe/k8s/v1_29/apiextensions/v1.py b/gybe/k8s/v1_33/apiextensions/v1.py similarity index 96% rename from gybe/k8s/v1_29/apiextensions/v1.py rename to gybe/k8s/v1_33/apiextensions/v1.py index 69a82d6..8c8c8a8 100644 --- a/gybe/k8s/v1_29/apiextensions/v1.py +++ b/gybe/k8s/v1_33/apiextensions/v1.py @@ -5,7 +5,7 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import JSONObj, K8sResource, K8sSpec @@ -76,7 +76,7 @@ class CustomResourceDefinition(K8sResource): spec: CustomResourceDefinitionSpec apiVersion: Literal['apiextensions.k8s.io/v1'] = 'apiextensions.k8s.io/v1' kind: Literal['CustomResourceDefinition'] = 'CustomResourceDefinition' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None status: Optional[CustomResourceDefinitionStatus] = None @@ -204,6 +204,9 @@ class CustomResourceDefinitionVersion(K8sSpec): version at `/apis///...` if `served` is true. schema: schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource. + selectableFields: selectableFields specifies paths to fields that may be used as field selectors. A + maximum of 8 selectable fields are allowed. See + https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors served: served is a flag enabling/disabling this version from being served via REST APIs storage: storage indicates this version should be used when persisting custom resources to storage. There must be exactly one version with storage=true. @@ -218,6 +221,7 @@ class CustomResourceDefinitionVersion(K8sSpec): deprecated: Optional[bool] = None deprecationWarning: Optional[str] = None schema: Optional[CustomResourceValidation] = None + selectableFields: Optional[List[SelectableField]] = None subresources: Optional[CustomResourceSubresources] = None @@ -291,6 +295,22 @@ class ExternalDocumentation(K8sSpec): url: Optional[str] = None +@dataclass +class SelectableField(K8sSpec): + """SelectableField specifies the JSON path of a field that may be used with field selectors. + + Attributes: + jsonPath: jsonPath is a simple JSON path which is evaluated against each custom resource to produce a + field selector value. Only JSON paths without the array notation are allowed. Must point to a + field of type string, boolean or integer. Types with enum values and strings with formats are + allowed. If jsonPath refers to absent field in a resource, the jsonPath evaluates to an empty + string. Must not point to metdata fields. Required. + + """ + + jsonPath: str + + @dataclass class ServiceReference(K8sSpec): """ServiceReference holds a reference to Service.legacy.k8s.io diff --git a/gybe/k8s/v1_29/apiregistration/v1.py b/gybe/k8s/v1_33/apiregistration/v1.py similarity index 98% rename from gybe/k8s/v1_29/apiregistration/v1.py rename to gybe/k8s/v1_33/apiregistration/v1.py index 04ecd29..8941b3d 100644 --- a/gybe/k8s/v1_29/apiregistration/v1.py +++ b/gybe/k8s/v1_33/apiregistration/v1.py @@ -5,7 +5,7 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import K8sResource, K8sSpec @@ -27,7 +27,7 @@ class APIService(K8sResource): apiVersion: Literal['apiregistration.k8s.io/v1'] = 'apiregistration.k8s.io/v1' kind: Literal['APIService'] = 'APIService' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[APIServiceSpec] = None status: Optional[APIServiceStatus] = None diff --git a/gybe/k8s/v1_29/apiserverinternal/v1alpha1.py b/gybe/k8s/v1_33/apiserverinternal/v1alpha1.py similarity index 96% rename from gybe/k8s/v1_29/apiserverinternal/v1alpha1.py rename to gybe/k8s/v1_33/apiserverinternal/v1alpha1.py index c6cdc7f..33ffe8c 100644 --- a/gybe/k8s/v1_29/apiserverinternal/v1alpha1.py +++ b/gybe/k8s/v1_33/apiserverinternal/v1alpha1.py @@ -5,7 +5,7 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import JSONObj, K8sResource, K8sSpec @@ -52,7 +52,7 @@ class StorageVersion(K8sResource): status: StorageVersionStatus apiVersion: Literal['internal.apiserver.k8s.io/v1alpha1'] = 'internal.apiserver.k8s.io/v1alpha1' kind: Literal['StorageVersion'] = 'StorageVersion' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None @dataclass @@ -73,8 +73,8 @@ class StorageVersionCondition(K8sSpec): type: str status: str reason: str + message: str lastTransitionTime: Optional[str] = None - message: Optional[str] = None observedGeneration: Optional[int] = None diff --git a/gybe/k8s/v1_29/apps/v1.py b/gybe/k8s/v1_33/apps/v1.py similarity index 91% rename from gybe/k8s/v1_29/apps/v1.py rename to gybe/k8s/v1_33/apps/v1.py index f26970b..5d9a878 100644 --- a/gybe/k8s/v1_29/apps/v1.py +++ b/gybe/k8s/v1_33/apps/v1.py @@ -5,8 +5,8 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.core.v1 -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.core.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import JSONObj, K8sResource, K8sSpec @@ -36,7 +36,7 @@ class ControllerRevision(K8sResource): apiVersion: Literal['apps/v1'] = 'apps/v1' kind: Literal['ControllerRevision'] = 'ControllerRevision' data: Optional[JSONObj] = None - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None @dataclass @@ -58,7 +58,7 @@ class DaemonSet(K8sResource): apiVersion: Literal['apps/v1'] = 'apps/v1' kind: Literal['DaemonSet'] = 'DaemonSet' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[DaemonSetSpec] = None status: Optional[DaemonSetStatus] = None @@ -102,8 +102,8 @@ class DaemonSetSpec(K8sSpec): """ - selector: gybe.k8s.v1_29.meta.v1.LabelSelector - template: gybe.k8s.v1_29.core.v1.PodTemplateSpec + selector: gybe.k8s.v1_33.meta.v1.LabelSelector + template: gybe.k8s.v1_33.core.v1.PodTemplateSpec minReadySeconds: Optional[int] = None revisionHistoryLimit: Optional[int] = None updateStrategy: Optional[DaemonSetUpdateStrategy] = None @@ -179,7 +179,7 @@ class Deployment(K8sResource): apiVersion: Literal['apps/v1'] = 'apps/v1' kind: Literal['Deployment'] = 'Deployment' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[DeploymentSpec] = None status: Optional[DeploymentStatus] = None @@ -231,8 +231,8 @@ class DeploymentSpec(K8sSpec): """ - selector: gybe.k8s.v1_29.meta.v1.LabelSelector - template: gybe.k8s.v1_29.core.v1.PodTemplateSpec + selector: gybe.k8s.v1_33.meta.v1.LabelSelector + template: gybe.k8s.v1_33.core.v1.PodTemplateSpec minReadySeconds: Optional[int] = None paused: Optional[bool] = None progressDeadlineSeconds: Optional[int] = None @@ -246,21 +246,26 @@ class DeploymentStatus(K8sSpec): """DeploymentStatus is the most recently observed status of the Deployment. Attributes: - availableReplicas: Total number of available pods (ready for at least minReadySeconds) targeted by - this deployment. + availableReplicas: Total number of available non-terminating pods (ready for at least minReadySeconds) + targeted by this deployment. collisionCount: Count of hash collisions for the Deployment. The Deployment controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ReplicaSet. conditions: Represents the latest available observations of a deployment's current state. observedGeneration: The generation observed by the deployment controller. - readyReplicas: readyReplicas is the number of pods targeted by this Deployment with a Ready Condition. - replicas: Total number of non-terminated pods targeted by this deployment (their labels match the + readyReplicas: Total number of non-terminating pods targeted by this Deployment with a Ready + Condition. + replicas: Total number of non-terminating pods targeted by this deployment (their labels match the selector). + terminatingReplicas: Total number of terminating pods targeted by this deployment. Terminating pods + have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded + .status.phase. This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able + to use this field. unavailableReplicas: Total number of unavailable pods targeted by this deployment. This is the total number of pods that are still required for the deployment to have 100% available capacity. They may either be pods that are running but not yet available or pods that still have not been created. - updatedReplicas: Total number of non-terminated pods targeted by this deployment that have the desired - template spec. + updatedReplicas: Total number of non-terminating pods targeted by this deployment that have the + desired template spec. """ @@ -270,6 +275,7 @@ class DeploymentStatus(K8sSpec): observedGeneration: Optional[int] = None readyReplicas: Optional[int] = None replicas: Optional[int] = None + terminatingReplicas: Optional[int] = None unavailableReplicas: Optional[int] = None updatedReplicas: Optional[int] = None @@ -308,7 +314,7 @@ class ReplicaSet(K8sResource): apiVersion: Literal['apps/v1'] = 'apps/v1' kind: Literal['ReplicaSet'] = 'ReplicaSet' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[ReplicaSetSpec] = None status: Optional[ReplicaSetStatus] = None @@ -341,8 +347,8 @@ class ReplicaSetSpec(K8sSpec): minReadySeconds: Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready) - replicas: Replicas is the number of desired replicas. This is a pointer to distinguish between - explicit zero and unspecified. Defaults to 1. + replicas: Replicas is the number of desired pods. This is a pointer to distinguish between explicit + zero and unspecified. Defaults to 1. selector: Selector is a label query over pods that should match the replica count. Label keys and values that must match in order to be controlled by this replica set. It must match the pod template's labels. @@ -351,10 +357,10 @@ class ReplicaSetSpec(K8sSpec): """ - selector: gybe.k8s.v1_29.meta.v1.LabelSelector + selector: gybe.k8s.v1_33.meta.v1.LabelSelector minReadySeconds: Optional[int] = None replicas: Optional[int] = None - template: Optional[gybe.k8s.v1_29.core.v1.PodTemplateSpec] = None + template: Optional[gybe.k8s.v1_33.core.v1.PodTemplateSpec] = None @dataclass @@ -362,15 +368,19 @@ class ReplicaSetStatus(K8sSpec): """ReplicaSetStatus represents the current status of a ReplicaSet. Attributes: - availableReplicas: The number of available replicas (ready for at least minReadySeconds) for this - replica set. + availableReplicas: The number of available non-terminating pods (ready for at least minReadySeconds) + for this replica set. conditions: Represents the latest available observations of a replica set's current state. - fullyLabeledReplicas: The number of pods that have labels matching the labels of the pod template of - the replicaset. + fullyLabeledReplicas: The number of non-terminating pods that have labels matching the labels of the + pod template of the replicaset. observedGeneration: ObservedGeneration reflects the generation of the most recently observed ReplicaSet. - readyReplicas: readyReplicas is the number of pods targeted by this ReplicaSet with a Ready Condition. - replicas: Replicas is the most recently observed number of replicas. + readyReplicas: The number of non-terminating pods targeted by this ReplicaSet with a Ready Condition. + replicas: Replicas is the most recently observed number of non-terminating pods. + terminatingReplicas: The number of terminating pods for this replica set. Terminating pods have a non- + null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase. + This is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this + field. """ @@ -380,6 +390,7 @@ class ReplicaSetStatus(K8sSpec): fullyLabeledReplicas: Optional[int] = None observedGeneration: Optional[int] = None readyReplicas: Optional[int] = None + terminatingReplicas: Optional[int] = None @dataclass @@ -486,7 +497,7 @@ class StatefulSet(K8sResource): apiVersion: Literal['apps/v1'] = 'apps/v1' kind: Literal['StatefulSet'] = 'StatefulSet' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[StatefulSetSpec] = None status: Optional[StatefulSetStatus] = None @@ -557,14 +568,12 @@ class StatefulSetSpec(K8sSpec): available as soon as it is ready) ordinals: ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a '0' index to the first replica and increments the index by one for each - additional replica requested. Using the ordinals field requires the StatefulSetStartOrdinal - feature gate to be enabled, which is beta. + additional replica requested. persistentVolumeClaimRetentionPolicy: persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent volume claims created from volumeClaimTemplates. By default, all persistent volume claims are created as needed and retained until manually deleted. This policy allows the lifecycle to be altered, for example by deleting persistent volume claims when their stateful set is - deleted, or when their pod is scaled down. This requires the StatefulSetAutoDeletePVC feature gate - to be enabled, which is alpha. +optional + deleted, or when their pod is scaled down. podManagementPolicy: podManagementPolicy controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default policy is `OrderedReady`, where pods are created in increasing order (pod-0, then pod-1, etc) and the controller will wait until each @@ -598,17 +607,17 @@ class StatefulSetSpec(K8sSpec): """ - selector: gybe.k8s.v1_29.meta.v1.LabelSelector - template: gybe.k8s.v1_29.core.v1.PodTemplateSpec - serviceName: str + selector: gybe.k8s.v1_33.meta.v1.LabelSelector + template: gybe.k8s.v1_33.core.v1.PodTemplateSpec minReadySeconds: Optional[int] = None ordinals: Optional[StatefulSetOrdinals] = None persistentVolumeClaimRetentionPolicy: Optional[StatefulSetPersistentVolumeClaimRetentionPolicy] = None podManagementPolicy: Optional[str] = None replicas: Optional[int] = None revisionHistoryLimit: Optional[int] = None + serviceName: Optional[str] = None updateStrategy: Optional[StatefulSetUpdateStrategy] = None - volumeClaimTemplates: Optional[List[gybe.k8s.v1_29.core.v1.PersistentVolumeClaim]] = None + volumeClaimTemplates: Optional[List[gybe.k8s.v1_33.core.v1.PersistentVolumeClaim]] = None @dataclass diff --git a/gybe/k8s/v1_29/authentication/v1.py b/gybe/k8s/v1_33/authentication/v1.py similarity index 97% rename from gybe/k8s/v1_29/authentication/v1.py rename to gybe/k8s/v1_33/authentication/v1.py index 2573e3c..63ab4c2 100644 --- a/gybe/k8s/v1_29/authentication/v1.py +++ b/gybe/k8s/v1_33/authentication/v1.py @@ -5,29 +5,10 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import JSONDict, K8sResource, K8sSpec -@dataclass -class UserInfo(K8sSpec): - """UserInfo holds the information about the user needed to implement the user.Info interface. - - Attributes: - extra: Any additional information provided by the authenticator. - groups: The names of groups this user is a part of. - uid: A unique value that identifies this user across time. If this user is deleted and another user by - the same name is added, they will have different UIDs. - username: The name that uniquely identifies this user among all active users. - - """ - - extra: Optional[JSONDict] = None - groups: Optional[List[str]] = None - uid: Optional[str] = None - username: Optional[str] = None - - @dataclass class BoundObjectReference(K8sSpec): """BoundObjectReference is a reference to an object that a token is bound to. @@ -65,7 +46,7 @@ class TokenRequest(K8sResource): spec: TokenRequestSpec apiVersion: Literal['authentication.k8s.io/v1'] = 'authentication.k8s.io/v1' kind: Literal['TokenRequest'] = 'TokenRequest' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None status: Optional[TokenRequestStatus] = None @@ -127,7 +108,7 @@ class SelfSubjectReview(K8sResource): apiVersion: Literal['authentication.k8s.io/v1'] = 'authentication.k8s.io/v1' kind: Literal['SelfSubjectReview'] = 'SelfSubjectReview' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None status: Optional[SelfSubjectReviewStatus] = None @@ -163,7 +144,7 @@ class TokenReview(K8sResource): spec: TokenReviewSpec apiVersion: Literal['authentication.k8s.io/v1'] = 'authentication.k8s.io/v1' kind: Literal['TokenReview'] = 'TokenReview' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None status: Optional[TokenReviewStatus] = None @@ -206,3 +187,22 @@ class TokenReviewStatus(K8sSpec): authenticated: Optional[bool] = None error: Optional[str] = None user: Optional[UserInfo] = None + + +@dataclass +class UserInfo(K8sSpec): + """UserInfo holds the information about the user needed to implement the user.Info interface. + + Attributes: + extra: Any additional information provided by the authenticator. + groups: The names of groups this user is a part of. + uid: A unique value that identifies this user across time. If this user is deleted and another user by + the same name is added, they will have different UIDs. + username: The name that uniquely identifies this user among all active users. + + """ + + extra: Optional[JSONDict] = None + groups: Optional[List[str]] = None + uid: Optional[str] = None + username: Optional[str] = None diff --git a/gybe/k8s/v1_29/authorization/v1.py b/gybe/k8s/v1_33/authorization/v1.py similarity index 74% rename from gybe/k8s/v1_29/authorization/v1.py rename to gybe/k8s/v1_33/authorization/v1.py index 1e43aa4..cf1b423 100644 --- a/gybe/k8s/v1_29/authorization/v1.py +++ b/gybe/k8s/v1_33/authorization/v1.py @@ -5,10 +5,66 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import JSONDict, K8sResource, K8sSpec +@dataclass +class FieldSelectorAttributes(K8sSpec): + """FieldSelectorAttributes indicates a field limited access. Webhook authors are encouraged to * ensure + rawSelector and requirements are not both set * consider the requirements field if set * not try to + parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting + different systems to agree on how exactly to parse a query is not something we want), see + https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the + *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are + empty, the request is not limited. * If rawSelector is present and requirements are empty, the + rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and + requirements are present, the requirements should be honored * If rawSelector is present and + requirements are present, the request is invalid. + + Attributes: + rawSelector: rawSelector is the serialization of a field selector that would be included in a query + parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's + *SubjectAccessReview will parse the rawSelector as long as the requirements are not present. + requirements: requirements is the parsed interpretation of a field selector. All requirements must be + met for a resource instance to match the selector. Webhook implementations should handle + requirements, but how to handle them is up to the webhook. Since requirements can only limit the + request, it is safe to authorize as unlimited request if the requirements are not understood. + + """ + + rawSelector: Optional[str] = None + requirements: Optional[List[gybe.k8s.v1_33.meta.v1.FieldSelectorRequirement]] = None + + +@dataclass +class LabelSelectorAttributes(K8sSpec): + """LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure + rawSelector and requirements are not both set * consider the requirements field if set * not try to + parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting + different systems to agree on how exactly to parse a query is not something we want), see + https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the + *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are + empty, the request is not limited. * If rawSelector is present and requirements are empty, the + rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and + requirements are present, the requirements should be honored * If rawSelector is present and + requirements are present, the request is invalid. + + Attributes: + rawSelector: rawSelector is the serialization of a field selector that would be included in a query + parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's + *SubjectAccessReview will parse the rawSelector as long as the requirements are not present. + requirements: requirements is the parsed interpretation of a label selector. All requirements must be + met for a resource instance to match the selector. Webhook implementations should handle + requirements, but how to handle them is up to the webhook. Since requirements can only limit the + request, it is safe to authorize as unlimited request if the requirements are not understood. + + """ + + rawSelector: Optional[str] = None + requirements: Optional[List[gybe.k8s.v1_33.meta.v1.LabelSelectorRequirement]] = None + + @dataclass class LocalSubjectAccessReview(K8sResource): """LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given @@ -31,7 +87,7 @@ class LocalSubjectAccessReview(K8sResource): spec: SubjectAccessReviewSpec apiVersion: Literal['authorization.k8s.io/v1'] = 'authorization.k8s.io/v1' kind: Literal['LocalSubjectAccessReview'] = 'LocalSubjectAccessReview' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None status: Optional[SubjectAccessReviewStatus] = None @@ -69,7 +125,13 @@ class ResourceAttributes(K8sSpec): """ResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface Attributes: + fieldSelector: fieldSelector describes the limitation on access based on field. It can only limit + access, not broaden it. This field is alpha-level. To use this field, you must enable the + `AuthorizeWithSelectors` feature gate (disabled by default). group: Group is the API Group of the Resource. '*' means all. + labelSelector: labelSelector describes the limitation on access based on labels. It can only limit + access, not broaden it. This field is alpha-level. To use this field, you must enable the + `AuthorizeWithSelectors` feature gate (disabled by default). name: Name is the name of the resource being requested for a 'get' or deleted for a 'delete'. '' (empty) means all. namespace: Namespace is the namespace of the action being requested. Currently, there is no @@ -84,7 +146,9 @@ class ResourceAttributes(K8sSpec): """ + fieldSelector: Optional[FieldSelectorAttributes] = None group: Optional[str] = None + labelSelector: Optional[LabelSelectorAttributes] = None name: Optional[str] = None namespace: Optional[str] = None resource: Optional[str] = None @@ -137,7 +201,7 @@ class SelfSubjectAccessReview(K8sResource): spec: SelfSubjectAccessReviewSpec apiVersion: Literal['authorization.k8s.io/v1'] = 'authorization.k8s.io/v1' kind: Literal['SelfSubjectAccessReview'] = 'SelfSubjectAccessReview' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None status: Optional[SubjectAccessReviewStatus] = None @@ -181,7 +245,7 @@ class SelfSubjectRulesReview(K8sResource): spec: SelfSubjectRulesReviewSpec apiVersion: Literal['authorization.k8s.io/v1'] = 'authorization.k8s.io/v1' kind: Literal['SelfSubjectRulesReview'] = 'SelfSubjectRulesReview' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None status: Optional[SubjectRulesReviewStatus] = None @@ -216,7 +280,7 @@ class SubjectAccessReview(K8sResource): spec: SubjectAccessReviewSpec apiVersion: Literal['authorization.k8s.io/v1'] = 'authorization.k8s.io/v1' kind: Literal['SubjectAccessReview'] = 'SubjectAccessReview' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None status: Optional[SubjectAccessReviewStatus] = None diff --git a/gybe/k8s/v1_29/autoscaling/v1.py b/gybe/k8s/v1_33/autoscaling/v1.py similarity index 97% rename from gybe/k8s/v1_29/autoscaling/v1.py rename to gybe/k8s/v1_33/autoscaling/v1.py index bcc12b6..65070f7 100644 --- a/gybe/k8s/v1_29/autoscaling/v1.py +++ b/gybe/k8s/v1_33/autoscaling/v1.py @@ -5,7 +5,7 @@ from dataclasses import dataclass from typing import Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import K8sResource, K8sSpec @@ -27,7 +27,7 @@ class Scale(K8sResource): apiVersion: Literal['autoscaling/v1'] = 'autoscaling/v1' kind: Literal['Scale'] = 'Scale' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[ScaleSpec] = None status: Optional[ScaleStatus] = None @@ -95,7 +95,7 @@ class HorizontalPodAutoscaler(K8sResource): apiVersion: Literal['autoscaling/v1'] = 'autoscaling/v1' kind: Literal['HorizontalPodAutoscaler'] = 'HorizontalPodAutoscaler' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[HorizontalPodAutoscalerSpec] = None status: Optional[HorizontalPodAutoscalerStatus] = None diff --git a/gybe/k8s/v1_29/autoscaling/v2.py b/gybe/k8s/v1_33/autoscaling/v2.py similarity index 90% rename from gybe/k8s/v1_29/autoscaling/v2.py rename to gybe/k8s/v1_33/autoscaling/v2.py index 0de17f4..5eb7612 100644 --- a/gybe/k8s/v1_29/autoscaling/v2.py +++ b/gybe/k8s/v1_33/autoscaling/v2.py @@ -5,8 +5,8 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.api.resource -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.api.resource +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import K8sResource, K8sSpec @@ -116,15 +116,18 @@ class HPAScalingPolicy(K8sSpec): @dataclass class HPAScalingRules(K8sSpec): - """HPAScalingRules configures the scaling behavior for one direction. These Rules are applied after - calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by - specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that - the number of replicas is not set instantly, instead, the safest value from the stabilization window - is chosen. + """HPAScalingRules configures the scaling behavior for one direction via scaling Policy Rules and a + configurable metric tolerance. Scaling Policy Rules are applied after calculating DesiredReplicas + from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can + prevent flapping by specifying the stabilization window, so that the number of replicas is not set + instantly, instead, the safest value from the stabilization window is chosen. The tolerance is + applied to the metric values and prevents scaling too eagerly for small metric variations. (Note that + setting a tolerance requires enabling the alpha HPAConfigurableTolerance feature gate.) Attributes: - policies: policies is a list of potential scaling polices which can be used during scaling. At least - one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid + policies: policies is a list of potential scaling polices which can be used during scaling. If not + set, use the default values: - For scale up: allow doubling the number of pods, or an absolute + change of 4 pods in a 15s window. - For scale down: allow all pods to be removed in a 15s window. selectPolicy: selectPolicy is used to specify which policy should be used. If not set, the default value Max is used. stabilizationWindowSeconds: stabilizationWindowSeconds is the number of seconds for which past @@ -132,12 +135,20 @@ class HPAScalingRules(K8sSpec): must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + tolerance: tolerance is the tolerance on the ratio between the current and desired metric value under + which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater + than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%). + For example, if autoscaling is configured with a memory consumption target of 100Mi, and scale- + down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual + consumption falls below 95Mi or exceeds 101Mi. This is an alpha field and requires enabling the + HPAConfigurableTolerance feature gate. """ policies: Optional[List[HPAScalingPolicy]] = None selectPolicy: Optional[str] = None stabilizationWindowSeconds: Optional[int] = None + tolerance: Optional[gybe.k8s.v1_33.api.resource.Quantity] = None @dataclass @@ -160,7 +171,7 @@ class HorizontalPodAutoscaler(K8sResource): apiVersion: Literal['autoscaling/v2'] = 'autoscaling/v2' kind: Literal['HorizontalPodAutoscaler'] = 'HorizontalPodAutoscaler' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[HorizontalPodAutoscalerSpec] = None status: Optional[HorizontalPodAutoscalerStatus] = None @@ -275,7 +286,7 @@ class MetricIdentifier(K8sSpec): """ name: str - selector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + selector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None @dataclass @@ -287,8 +298,7 @@ class MetricSpec(K8sSpec): containerResource: containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling - options on top of those available to normal per-pod metrics using the 'pods' source. This is an - alpha feature and can be enabled by the HPAContainerMetrics feature flag. + options on top of those available to normal per-pod metrics using the 'pods' source. external: external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of @@ -303,8 +313,7 @@ class MetricSpec(K8sSpec): are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the 'pods' source. type: type is the type of metric source. It should be one of 'ContainerResource', 'External', - 'Object', 'Pods' or 'Resource', each mapping to a matching field in the object. Note: - 'ContainerResource' type is available on when the feature-gate HPAContainerMetrics is enabled + 'Object', 'Pods' or 'Resource', each mapping to a matching field in the object. """ @@ -339,8 +348,7 @@ class MetricStatus(K8sSpec): are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the 'pods' source. type: type is the type of metric source. It will be one of 'ContainerResource', 'External', 'Object', - 'Pods' or 'Resource', each corresponds to a matching field in the object. Note: - 'ContainerResource' type is available on when the feature-gate HPAContainerMetrics is enabled + 'Pods' or 'Resource', each corresponds to a matching field in the object. """ @@ -368,8 +376,8 @@ class MetricTarget(K8sSpec): type: str averageUtilization: Optional[int] = None - averageValue: Optional[gybe.k8s.v1_29.api.resource.Quantity] = None - value: Optional[gybe.k8s.v1_29.api.resource.Quantity] = None + averageValue: Optional[gybe.k8s.v1_33.api.resource.Quantity] = None + value: Optional[gybe.k8s.v1_33.api.resource.Quantity] = None @dataclass @@ -386,8 +394,8 @@ class MetricValueStatus(K8sSpec): """ averageUtilization: Optional[int] = None - averageValue: Optional[gybe.k8s.v1_29.api.resource.Quantity] = None - value: Optional[gybe.k8s.v1_29.api.resource.Quantity] = None + averageValue: Optional[gybe.k8s.v1_33.api.resource.Quantity] = None + value: Optional[gybe.k8s.v1_33.api.resource.Quantity] = None @dataclass diff --git a/gybe/k8s/v1_29/batch/v1.py b/gybe/k8s/v1_33/batch/v1.py similarity index 75% rename from gybe/k8s/v1_29/batch/v1.py rename to gybe/k8s/v1_33/batch/v1.py index 00a9091..f6f2b39 100644 --- a/gybe/k8s/v1_29/batch/v1.py +++ b/gybe/k8s/v1_33/batch/v1.py @@ -5,8 +5,8 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.core.v1 -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.core.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import K8sResource, K8sSpec @@ -28,7 +28,7 @@ class CronJob(K8sResource): apiVersion: Literal['batch/v1'] = 'batch/v1' kind: Literal['CronJob'] = 'CronJob' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[CronJobSpec] = None status: Optional[CronJobStatus] = None @@ -86,7 +86,7 @@ class CronJobStatus(K8sSpec): """ - active: Optional[List[gybe.k8s.v1_29.core.v1.ObjectReference]] = None + active: Optional[List[gybe.k8s.v1_33.core.v1.ObjectReference]] = None lastScheduleTime: Optional[str] = None lastSuccessfulTime: Optional[str] = None @@ -109,7 +109,7 @@ class Job(K8sResource): apiVersion: Literal['batch/v1'] = 'batch/v1' kind: Literal['Job'] = 'Job' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[JobSpec] = None status: Optional[JobStatus] = None @@ -149,9 +149,7 @@ class JobSpec(K8sSpec): backoffLimitPerIndex: Specifies the limit for the number of retries within an index before marking this index as failed. When enabled the number of failures per index is kept in the pod's batch.kubernetes.io/job-index-failure-count annotation. It can only be set when Job's - completionMode=Indexed, and the Pod's restart policy is Never. The field is immutable. This field - is beta-level. It can be used when the `JobBackoffLimitPerIndex` feature gate is enabled (enabled - by default). + completionMode=Indexed, and the Pod's restart policy is Never. The field is immutable. completionMode: completionMode specifies how Pod completions are tracked. It can be `NonIndexed` (default) or `Indexed`. `NonIndexed` means that the Job is considered complete when there have been .spec.completions successfully completed Pods. Each Pod completion is homologous to each @@ -167,6 +165,14 @@ class JobSpec(K8sSpec): Setting to null means that the success of any pod signals the success of all pods, and allows parallelism to have any positive value. Setting to 1 means that parallelism is limited to 1 and the success of that pod signals the success of the job. + managedBy: ManagedBy field indicates the controller that manages a Job. The k8s Job controller + reconciles jobs which don't have this field at all or the field value is the reserved string + `kubernetes.io/job-controller`, but skips reconciling Jobs with a custom value for this field. The + value must be a valid domain-prefixed path (e.g. acme.io/foo) - all characters before the first + '/' must be a valid subdomain as defined by RFC 1123. All characters trailing the first '/' must + be valid HTTP Path characters as defined by RFC 3986. The value cannot exceed 63 characters. This + field is immutable. This field is beta-level. The job controller accepts setting the field when + the feature gate JobManagedBy is enabled (enabled by default). manualSelector: manualSelector controls generation of pod labels and pod selectors. Leave `manualSelector` unset unless you are certain what you are doing. When false or unset, the system pick labels unique to this job and appends those labels to the pod template. When true, the user @@ -178,9 +184,7 @@ class JobSpec(K8sSpec): Job is marked as Failed and its execution is terminated. When left as null the job continues execution of all of its indexes and is marked with the `Complete` Job condition. It can only be specified when backoffLimitPerIndex is set. It can be null or up to completions. It is required - and must be less than or equal to 10^4 when is completions greater than 10^5. This field is beta- - level. It can be used when the `JobBackoffLimitPerIndex` feature gate is enabled (enabled by - default). + and must be less than or equal to 10^4 when is completions greater than 10^5. parallelism: Specifies the maximum desired number of pods the job should run at any given time. The actual number of pods running in steady state will be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism), i.e. when the work left to do is @@ -189,8 +193,7 @@ class JobSpec(K8sSpec): the set of actions and conditions which need to be satisfied to take the associated action. If empty, the default behaviour applies - the counter of failed pods, represented by the jobs's .status.failed field, is incremented and it is checked against the backoffLimit. This field cannot - be used in combination with restartPolicy=OnFailure. This field is beta-level. It can be used - when the `JobPodFailurePolicy` feature gate is enabled (enabled by default). + be used in combination with restartPolicy=OnFailure. podReplacementPolicy: podReplacementPolicy specifies when to create replacement Pods. Possible values are: - TerminatingOrFailed means that we recreate pods when they are terminating (has a metadata.deletionTimestamp) or failed. - Failed means to wait until a previously created Pod is @@ -200,6 +203,10 @@ class JobSpec(K8sSpec): JobPodReplacementPolicy feature toggle. This is on by default. selector: A label query over pods that should match the pod count. Normally, the system sets this field for you. + successPolicy: successPolicy specifies the policy when the Job can be declared as succeeded. If empty, + the default behavior applies - the Job is declared as succeeded only when the number of succeeded + pods equals to the completions. When the field is specified, it must be immutable and works only + for the Indexed Jobs. Once the Job meets the SuccessPolicy, the lingering pods are terminated. suspend: suspend specifies whether the Job controller should create Pods or not. If a Job is created with suspend set to true, no Pods are created by the Job controller. If a Job is suspended after creation (i.e. the flag goes from false to true), the Job controller will delete all active Pods @@ -217,18 +224,20 @@ class JobSpec(K8sSpec): """ - template: gybe.k8s.v1_29.core.v1.PodTemplateSpec + template: gybe.k8s.v1_33.core.v1.PodTemplateSpec activeDeadlineSeconds: Optional[int] = None backoffLimit: Optional[int] = None backoffLimitPerIndex: Optional[int] = None completionMode: Optional[str] = None completions: Optional[int] = None + managedBy: Optional[str] = None manualSelector: Optional[bool] = None maxFailedIndexes: Optional[int] = None parallelism: Optional[int] = None podFailurePolicy: Optional[PodFailurePolicy] = None podReplacementPolicy: Optional[str] = None - selector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + selector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None + successPolicy: Optional[SuccessPolicy] = None suspend: Optional[bool] = None ttlSecondsAfterFinished: Optional[int] = None @@ -238,7 +247,8 @@ class JobStatus(K8sSpec): """JobStatus represents the current state of a Job. Attributes: - active: The number of pending and running pods. + active: The number of pending and running pods which are not terminating (without a + deletionTimestamp). The value is zero for finished jobs. completedIndexes: completedIndexes holds the completed indexes when .spec.completionMode = 'Indexed' in a text format. The indexes are represented as decimal integers separated by commas. The numbers are listed in increasing order. Three or more consecutive numbers are compressed and represented @@ -246,25 +256,33 @@ class JobStatus(K8sSpec): indexes are 1, 3, 4, 5 and 7, they are represented as '1,3-5,7'. completionTime: Represents time when the job was completed. It is not guaranteed to be set in happens- before order across separate operations. It is represented in RFC3339 form and is in UTC. The - completion time is only set when the job finishes successfully. + completion time is set when the job finishes successfully, and only then. The value cannot be + updated or removed. The value indicates the same or later point in time as the startTime field. conditions: The latest available observations of an object's current state. When a Job fails, one of the conditions will have type 'Failed' and status true. When a Job is suspended, one of the conditions will have type 'Suspended' and status true; when the Job is resumed, the status of this condition will become false. When a Job is completed, one of the conditions will have type - 'Complete' and status true. - failed: The number of pods which reached phase Failed. - failedIndexes: FailedIndexes holds the failed indexes when backoffLimitPerIndex=true. The indexes are - represented in the text format analogous as for the `completedIndexes` field, ie. they are kept as - decimal integers separated by commas. The numbers are listed in increasing order. Three or more - consecutive numbers are compressed and represented by the first and last element of the series, - separated by a hyphen. For example, if the failed indexes are 1, 3, 4, 5 and 7, they are - represented as '1,3-5,7'. This field is beta-level. It can be used when the - `JobBackoffLimitPerIndex` feature gate is enabled (enabled by default). - ready: The number of pods which have a Ready condition. + 'Complete' and status true. A job is considered finished when it is in a terminal condition, + either 'Complete' or 'Failed'. A Job cannot have both the 'Complete' and 'Failed' conditions. + Additionally, it cannot be in the 'Complete' and 'FailureTarget' conditions. The 'Complete', + 'Failed' and 'FailureTarget' conditions cannot be disabled. + failed: The number of pods which reached phase Failed. The value increases monotonically. + failedIndexes: FailedIndexes holds the failed indexes when spec.backoffLimitPerIndex is set. The + indexes are represented in the text format analogous as for the `completedIndexes` field, ie. they + are kept as decimal integers separated by commas. The numbers are listed in increasing order. + Three or more consecutive numbers are compressed and represented by the first and last element of + the series, separated by a hyphen. For example, if the failed indexes are 1, 3, 4, 5 and 7, they + are represented as '1,3-5,7'. The set of failed indexes cannot overlap with the set of completed + indexes. + ready: The number of active pods which have a Ready condition and are not terminating (without a + deletionTimestamp). startTime: Represents time when the job controller started processing a job. When a Job is created in the suspended state, this field is not set until the first time it is resumed. This field is reset every time a Job is resumed from suspension. It is represented in RFC3339 form and is in UTC. - succeeded: The number of pods which reached phase Succeeded. + Once set, the field can only be removed when the job is suspended. The field cannot be modified + while the job is unsuspended or finished. + succeeded: The number of pods which reached phase Succeeded. The value increases monotonically for a + given spec. However, it may decrease in reaction to scale down of elastic indexed jobs. terminating: The number of pods which are terminating (in phase Pending or Running and have a deletionTimestamp). This field is beta-level. The job controller populates the field when the feature gate JobPodReplacementPolicy is enabled (enabled by default). @@ -274,6 +292,7 @@ class JobStatus(K8sSpec): account for it in the job status: 1. Add the pod UID to the arrays in this field. 2. Remove the pod finalizer. 3. Remove the pod UID from the arrays while increasing the corresponding counter. Old jobs might not be tracked using this field, in which case the field remains null. + The structure is empty for finished jobs. """ @@ -299,7 +318,7 @@ class JobTemplateSpec(K8sSpec): """ - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[JobSpec] = None @@ -375,12 +394,10 @@ class PodFailurePolicyRule(K8sSpec): action: Specifies the action taken on a pod failure when the requirements are satisfied. Possible values are: - FailJob: indicates that the pod's job is marked as Failed and all running pods are terminated. - FailIndex: indicates that the pod's index is marked as Failed and will not be - restarted. This value is beta-level. It can be used when the `JobBackoffLimitPerIndex` feature - gate is enabled (enabled by default). - Ignore: indicates that the counter towards the - .backoffLimit is not incremented and a replacement pod is created. - Count: indicates that the - pod is handled in the default way - the counter towards the .backoffLimit is incremented. - Additional values are considered to be added in the future. Clients should react to an unknown - action by skipping the rule. + restarted. - Ignore: indicates that the counter towards the .backoffLimit is not incremented and + a replacement pod is created. - Count: indicates that the pod is handled in the default way - the + counter towards the .backoffLimit is incremented. Additional values are considered to be added in + the future. Clients should react to an unknown action by skipping the rule. onExitCodes: Represents the requirement on the container exit codes. onPodConditions: Represents the requirement on the pod conditions. The requirement is represented as a list of pod condition patterns. The requirement is satisfied if at least one pattern matches an @@ -393,6 +410,50 @@ class PodFailurePolicyRule(K8sSpec): onPodConditions: Optional[List[PodFailurePolicyOnPodConditionsPattern]] = None +@dataclass +class SuccessPolicy(K8sSpec): + """SuccessPolicy describes when a Job can be declared as succeeded based on the success of some indexes. + + Attributes: + rules: rules represents the list of alternative rules for the declaring the Jobs as successful before + `.status.succeeded >= .spec.completions`. Once any of the rules are met, the + 'SucceededCriteriaMet' condition is added, and the lingering pods are removed. The terminal state + for such a Job has the 'Complete' condition. Additionally, these rules are evaluated in order; + Once the Job meets one of the rules, other rules are ignored. At most 20 elements are allowed. + + """ + + rules: List[SuccessPolicyRule] + + +@dataclass +class SuccessPolicyRule(K8sSpec): + """SuccessPolicyRule describes rule for declaring a Job as succeeded. Each rule must have at least one of + the 'succeededIndexes' or 'succeededCount' specified. + + Attributes: + succeededCount: succeededCount specifies the minimal required size of the actual set of the succeeded + indexes for the Job. When succeededCount is used along with succeededIndexes, the check is + constrained only to the set of indexes specified by succeededIndexes. For example, given that + succeededIndexes is '1-4', succeededCount is '3', and completed indexes are '1', '3', and '5', the + Job isn't declared as succeeded because only '1' and '3' indexes are considered in that rules. + When this field is null, this doesn't default to any value and is never evaluated at any time. + When specified it needs to be a positive integer. + succeededIndexes: succeededIndexes specifies the set of indexes which need to be contained in the + actual set of the succeeded indexes for the Job. The list of indexes must be within 0 to + '.spec.completions-1' and must not contain duplicates. At least one element is required. The + indexes are represented as intervals separated by commas. The intervals can be a decimal integer + or a pair of decimal integers separated by a hyphen. The number are listed in represented by the + first and last element of the series, separated by a hyphen. For example, if the completed indexes + are 1, 3, 4, 5 and 7, they are represented as '1,3-5,7'. When this field is null, this field + doesn't default to any value and is never evaluated at any time. + + """ + + succeededCount: Optional[int] = None + succeededIndexes: Optional[str] = None + + @dataclass class UncountedTerminatedPods(K8sSpec): """UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't been accounted in Job diff --git a/gybe/k8s/v1_29/certificates/v1.py b/gybe/k8s/v1_33/certificates/v1.py similarity index 99% rename from gybe/k8s/v1_29/certificates/v1.py rename to gybe/k8s/v1_33/certificates/v1.py index 73d07e6..a79bf55 100644 --- a/gybe/k8s/v1_29/certificates/v1.py +++ b/gybe/k8s/v1_33/certificates/v1.py @@ -5,7 +5,7 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import JSONDict, K8sResource, K8sSpec @@ -37,7 +37,7 @@ class CertificateSigningRequest(K8sResource): spec: CertificateSigningRequestSpec apiVersion: Literal['certificates.k8s.io/v1'] = 'certificates.k8s.io/v1' kind: Literal['CertificateSigningRequest'] = 'CertificateSigningRequest' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None status: Optional[CertificateSigningRequestStatus] = None diff --git a/gybe/k8s/v1_29/certificates/v1alpha1.py b/gybe/k8s/v1_33/certificates/v1alpha1.py similarity index 97% rename from gybe/k8s/v1_29/certificates/v1alpha1.py rename to gybe/k8s/v1_33/certificates/v1alpha1.py index d05e603..3d4ed87 100644 --- a/gybe/k8s/v1_29/certificates/v1alpha1.py +++ b/gybe/k8s/v1_33/certificates/v1alpha1.py @@ -5,7 +5,7 @@ from dataclasses import dataclass from typing import Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import K8sResource, K8sSpec @@ -35,7 +35,7 @@ class ClusterTrustBundle(K8sResource): spec: ClusterTrustBundleSpec apiVersion: Literal['certificates.k8s.io/v1alpha1'] = 'certificates.k8s.io/v1alpha1' kind: Literal['ClusterTrustBundle'] = 'ClusterTrustBundle' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None @dataclass diff --git a/gybe/k8s/v1_33/certificates/v1beta1.py b/gybe/k8s/v1_33/certificates/v1beta1.py new file mode 100644 index 0000000..a513bb2 --- /dev/null +++ b/gybe/k8s/v1_33/certificates/v1beta1.py @@ -0,0 +1,66 @@ +"""Models generated from Kubernetes OpenAPI Spec.""" + +from __future__ import annotations + +from dataclasses import dataclass +from typing import Literal, Optional + +import gybe.k8s.v1_33.meta.v1 +from gybe.k8s.types import K8sResource, K8sSpec + + +@dataclass +class ClusterTrustBundle(K8sResource): + """ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates). + ClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, + because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts + have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a + cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to. It + can be optionally associated with a particular assigner, in which case it contains one valid set of + trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an + independent set of trust anchors for that signer. Admission control is used to enforce that only users + with permissions on the signer can create or modify the corresponding bundle. + + Attributes: + apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers + should convert recognized schemas to the latest internal value, and may reject unrecognized + values. + kind: Kind is a string value representing the REST resource this object represents. Servers may infer + this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. + metadata: metadata contains the object metadata. + spec: spec contains the signer (if any) and trust anchors. + + """ + + spec: ClusterTrustBundleSpec + apiVersion: Literal['certificates.k8s.io/v1beta1'] = 'certificates.k8s.io/v1beta1' + kind: Literal['ClusterTrustBundle'] = 'ClusterTrustBundle' + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None + + +@dataclass +class ClusterTrustBundleSpec(K8sSpec): + """ClusterTrustBundleSpec contains the signer and trust anchors. + + Attributes: + signerName: signerName indicates the associated signer, if any. In order to create or update a + ClusterTrustBundle that sets signerName, you must have the following cluster-scoped permission: + group=certificates.k8s.io resource=signers resourceName= verb=attest. If + signerName is not empty, then the ClusterTrustBundle object must be named with the signer name as + a prefix (translating slashes to colons). For example, for the signer name `example.com/foo`, + valid ClusterTrustBundle object names include `example.com:foo:abc` and `example.com:foo:v1`. If + signerName is empty, then the ClusterTrustBundle object's name must not have such a prefix. + List/watch requests for ClusterTrustBundles can filter on this field using a + `spec.signerName=NAME` field selector. + trustBundle: trustBundle contains the individual X.509 trust anchors for this bundle, as PEM bundle of + PEM-wrapped, DER-formatted X.509 certificates. The data must consist only of PEM certificate + blocks that parse as valid X.509 certificates. Each certificate must include a basic constraints + extension with the CA bit set. The API server will reject objects that contain duplicate + certificates, or that use PEM block headers. Users of ClusterTrustBundles, including Kubelet, are + free to reorder and deduplicate certificate blocks in this file according to their own logic, as + well as to drop PEM block headers and inter-block data. + + """ + + trustBundle: str + signerName: Optional[str] = None diff --git a/gybe/k8s/v1_29/coordination/v1.py b/gybe/k8s/v1_33/coordination/v1.py similarity index 65% rename from gybe/k8s/v1_29/coordination/v1.py rename to gybe/k8s/v1_33/coordination/v1.py index b86ad7d..9e07d4e 100644 --- a/gybe/k8s/v1_29/coordination/v1.py +++ b/gybe/k8s/v1_33/coordination/v1.py @@ -5,7 +5,7 @@ from dataclasses import dataclass from typing import Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import K8sResource, K8sSpec @@ -26,7 +26,7 @@ class Lease(K8sResource): apiVersion: Literal['coordination.k8s.io/v1'] = 'coordination.k8s.io/v1' kind: Literal['Lease'] = 'Lease' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[LeaseSpec] = None @@ -36,11 +36,18 @@ class LeaseSpec(K8sSpec): Attributes: acquireTime: acquireTime is a time when the current lease was acquired. - holderIdentity: holderIdentity contains the identity of the holder of a current lease. + holderIdentity: holderIdentity contains the identity of the holder of a current lease. If Coordinated + Leader Election is used, the holder identity must be equal to the elected + LeaseCandidate.metadata.name field. leaseDurationSeconds: leaseDurationSeconds is a duration that candidates for a lease need to wait to - force acquire it. This is measure against time of last observed renewTime. + force acquire it. This is measured against the time of last observed renewTime. leaseTransitions: leaseTransitions is the number of transitions of a lease between holders. + preferredHolder: PreferredHolder signals to a lease holder that the lease has a more optimal holder + and should be given up. This field can only be set if Strategy is also set. renewTime: renewTime is a time when the current holder of a lease has last updated the lease. + strategy: Strategy indicates the strategy for picking the leader for coordinated leader election. If + the field is not specified, there is no active coordination for this lease. (Alpha) Using this + field requires the CoordinatedLeaderElection feature gate to be enabled. """ @@ -48,4 +55,6 @@ class LeaseSpec(K8sSpec): holderIdentity: Optional[str] = None leaseDurationSeconds: Optional[int] = None leaseTransitions: Optional[int] = None + preferredHolder: Optional[str] = None renewTime: Optional[str] = None + strategy: Optional[str] = None diff --git a/gybe/k8s/v1_33/coordination/v1alpha2.py b/gybe/k8s/v1_33/coordination/v1alpha2.py new file mode 100644 index 0000000..a175ab0 --- /dev/null +++ b/gybe/k8s/v1_33/coordination/v1alpha2.py @@ -0,0 +1,66 @@ +"""Models generated from Kubernetes OpenAPI Spec.""" + +from __future__ import annotations + +from dataclasses import dataclass +from typing import Literal, Optional + +import gybe.k8s.v1_33.meta.v1 +from gybe.k8s.types import K8sResource, K8sSpec + + +@dataclass +class LeaseCandidate(K8sResource): + """LeaseCandidate defines a candidate for a Lease object. Candidates are created such that coordinated + leader election will pick the best leader from the list of candidates. + + Attributes: + apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers + should convert recognized schemas to the latest internal value, and may reject unrecognized + values. + kind: Kind is a string value representing the REST resource this object represents. Servers may infer + this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. + metadata: + spec: spec contains the specification of the Lease. + + """ + + apiVersion: Literal['coordination.k8s.io/v1alpha2'] = 'coordination.k8s.io/v1alpha2' + kind: Literal['LeaseCandidate'] = 'LeaseCandidate' + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None + spec: Optional[LeaseCandidateSpec] = None + + +@dataclass +class LeaseCandidateSpec(K8sSpec): + """LeaseCandidateSpec is a specification of a Lease. + + Attributes: + binaryVersion: BinaryVersion is the binary version. It must be in a semver format without leading `v`. + This field is required. + emulationVersion: EmulationVersion is the emulation version. It must be in a semver format without + leading `v`. EmulationVersion must be less than or equal to BinaryVersion. This field is required + when strategy is 'OldestEmulationVersion' + leaseName: LeaseName is the name of the lease for which this candidate is contending. This field is + immutable. + pingTime: PingTime is the last time that the server has requested the LeaseCandidate to renew. It is + only done during leader election to check if any LeaseCandidates have become ineligible. When + PingTime is updated, the LeaseCandidate will respond by updating RenewTime. + renewTime: RenewTime is the time that the LeaseCandidate was last updated. Any time a Lease needs to + do leader election, the PingTime field is updated to signal to the LeaseCandidate that they should + update the RenewTime. Old LeaseCandidate objects are also garbage collected if it has been hours + since the last renew. The PingTime field is updated regularly to prevent garbage collection for + still active LeaseCandidates. + strategy: Strategy is the strategy that coordinated leader election will use for picking the leader. + If multiple candidates for the same Lease return different strategies, the strategy provided by + the candidate with the latest BinaryVersion will be used. If there is still conflict, this is a + user error and coordinated leader election will not operate the Lease until resolved. + + """ + + leaseName: str + binaryVersion: str + strategy: str + emulationVersion: Optional[str] = None + pingTime: Optional[str] = None + renewTime: Optional[str] = None diff --git a/gybe/k8s/v1_33/coordination/v1beta1.py b/gybe/k8s/v1_33/coordination/v1beta1.py new file mode 100644 index 0000000..5383ca5 --- /dev/null +++ b/gybe/k8s/v1_33/coordination/v1beta1.py @@ -0,0 +1,67 @@ +"""Models generated from Kubernetes OpenAPI Spec.""" + +from __future__ import annotations + +from dataclasses import dataclass +from typing import Literal, Optional + +import gybe.k8s.v1_33.meta.v1 +from gybe.k8s.types import K8sResource, K8sSpec + + +@dataclass +class LeaseCandidate(K8sResource): + """LeaseCandidate defines a candidate for a Lease object. Candidates are created such that coordinated + leader election will pick the best leader from the list of candidates. + + Attributes: + apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers + should convert recognized schemas to the latest internal value, and may reject unrecognized + values. + kind: Kind is a string value representing the REST resource this object represents. Servers may infer + this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. + metadata: + spec: spec contains the specification of the Lease. + + """ + + apiVersion: Literal['coordination.k8s.io/v1beta1'] = 'coordination.k8s.io/v1beta1' + kind: Literal['LeaseCandidate'] = 'LeaseCandidate' + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None + spec: Optional[LeaseCandidateSpec] = None + + +@dataclass +class LeaseCandidateSpec(K8sSpec): + """LeaseCandidateSpec is a specification of a Lease. + + Attributes: + binaryVersion: BinaryVersion is the binary version. It must be in a semver format without leading `v`. + This field is required. + emulationVersion: EmulationVersion is the emulation version. It must be in a semver format without + leading `v`. EmulationVersion must be less than or equal to BinaryVersion. This field is required + when strategy is 'OldestEmulationVersion' + leaseName: LeaseName is the name of the lease for which this candidate is contending. The limits on + this field are the same as on Lease.name. Multiple lease candidates may reference the same + Lease.name. This field is immutable. + pingTime: PingTime is the last time that the server has requested the LeaseCandidate to renew. It is + only done during leader election to check if any LeaseCandidates have become ineligible. When + PingTime is updated, the LeaseCandidate will respond by updating RenewTime. + renewTime: RenewTime is the time that the LeaseCandidate was last updated. Any time a Lease needs to + do leader election, the PingTime field is updated to signal to the LeaseCandidate that they should + update the RenewTime. Old LeaseCandidate objects are also garbage collected if it has been hours + since the last renew. The PingTime field is updated regularly to prevent garbage collection for + still active LeaseCandidates. + strategy: Strategy is the strategy that coordinated leader election will use for picking the leader. + If multiple candidates for the same Lease return different strategies, the strategy provided by + the candidate with the latest BinaryVersion will be used. If there is still conflict, this is a + user error and coordinated leader election will not operate the Lease until resolved. + + """ + + leaseName: str + binaryVersion: str + strategy: str + emulationVersion: Optional[str] = None + pingTime: Optional[str] = None + renewTime: Optional[str] = None diff --git a/gybe/k8s/v1_29/core/v1.py b/gybe/k8s/v1_33/core/v1.py similarity index 88% rename from gybe/k8s/v1_29/core/v1.py rename to gybe/k8s/v1_33/core/v1.py index 12184fd..ef92abf 100644 --- a/gybe/k8s/v1_29/core/v1.py +++ b/gybe/k8s/v1_33/core/v1.py @@ -5,8 +5,8 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.api.resource -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.api.resource +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import JSONDict, K8sResource, K8sSpec @@ -53,6 +53,55 @@ class ObjectReference(K8sSpec): uid: Optional[str] = None +@dataclass +class NodeSelector(K8sSpec): + """A node selector represents the union of the results of one or more label queries over a set of nodes; + that is, it represents the OR of the selectors represented by the node selector terms. + + Attributes: + nodeSelectorTerms: Required. A list of node selector terms. The terms are ORed. + + """ + + nodeSelectorTerms: List[NodeSelectorTerm] + + +@dataclass +class NodeSelectorRequirement(K8sSpec): + """A node selector requirement is a selector that contains values, a key, and an operator that relates + the key and values. + + Attributes: + key: The label key that the selector applies to. + operator: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, + DoesNotExist. Gt, and Lt. + values: An array of string values. If the operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt + or Lt, the values array must have a single element, which will be interpreted as an integer. This + array is replaced during a strategic merge patch. + + """ + + key: str + operator: str + values: Optional[List[str]] = None + + +@dataclass +class NodeSelectorTerm(K8sSpec): + """A null or empty node selector term matches no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + + Attributes: + matchExpressions: A list of node selector requirements by node's labels. + matchFields: A list of node selector requirements by node's fields. + + """ + + matchExpressions: Optional[List[NodeSelectorRequirement]] = None + matchFields: Optional[List[NodeSelectorRequirement]] = None + + @dataclass class AWSElasticBlockStoreVolumeSource(K8sSpec): """Represents a Persistent Disk resource in AWS. An AWS EBS disk must exist before mounting to a @@ -125,8 +174,7 @@ class AzureFilePersistentVolumeSource(K8sSpec): @dataclass class CSIPersistentVolumeSource(K8sSpec): - """Represents storage that is managed by an external CSI volume driver (Beta feature) - + """Represents storage that is managed by an external CSI volume driver Attributes: controllerExpandSecretRef: controllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. @@ -388,8 +436,7 @@ class ISCSIPersistentVolumeSource(K8sSpec): @dataclass class LocalVolumeSource(K8sSpec): - """Local represents directly-attached storage with node affinity (Beta feature) - + """Local represents directly-attached storage with node affinity Attributes: fsType: fsType is the filesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. 'ext4', 'xfs', 'ntfs'. The @@ -421,55 +468,6 @@ class NFSVolumeSource(K8sSpec): readOnly: Optional[bool] = None -@dataclass -class NodeSelector(K8sSpec): - """A node selector represents the union of the results of one or more label queries over a set of nodes; - that is, it represents the OR of the selectors represented by the node selector terms. - - Attributes: - nodeSelectorTerms: Required. A list of node selector terms. The terms are ORed. - - """ - - nodeSelectorTerms: List[NodeSelectorTerm] - - -@dataclass -class NodeSelectorRequirement(K8sSpec): - """A node selector requirement is a selector that contains values, a key, and an operator that relates - the key and values. - - Attributes: - key: The label key that the selector applies to. - operator: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, - DoesNotExist. Gt, and Lt. - values: An array of string values. If the operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt - or Lt, the values array must have a single element, which will be interpreted as an integer. This - array is replaced during a strategic merge patch. - - """ - - key: str - operator: str - values: Optional[List[str]] = None - - -@dataclass -class NodeSelectorTerm(K8sSpec): - """A null or empty node selector term matches no objects. The requirements of them are ANDed. The - TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - - Attributes: - matchExpressions: A list of node selector requirements by node's labels. - matchFields: A list of node selector requirements by node's fields. - - """ - - matchExpressions: Optional[List[NodeSelectorRequirement]] = None - matchFields: Optional[List[NodeSelectorRequirement]] = None - - @dataclass class PersistentVolumeSpec(K8sSpec): """PersistentVolumeSpec is the specification of a persistent volume. @@ -477,26 +475,39 @@ class PersistentVolumeSpec(K8sSpec): Attributes: accessModes: accessModes contains all ways the volume can be mounted. awsElasticBlockStore: awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. + kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is + deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the + ebs.csi.aws.com CSI driver. azureDisk: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected + to the disk.csi.azure.com CSI driver. azureFile: azureFile represents an Azure File Service mount on the host and bind mount to the pod. + Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected + to the file.csi.azure.com CSI driver. capacity: capacity is the description of the persistent volume's resources and capacity. - cephfs: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime - cinder: cinder represents a cinder volume attached and mounted on kubelets host machine. + cephfs: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS + is deprecated and the in-tree cephfs type is no longer supported. + cinder: cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: + Cinder is deprecated. All operations for the in-tree cinder type are redirected to the + cinder.csi.openstack.org CSI driver. claimRef: claimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. Expected to be non-nil when bound. claim.VolumeName is the authoritative bind between PV and PVC. - csi: csi represents storage that is handled by an external CSI driver (Beta feature). + csi: csi represents storage that is handled by an external CSI driver. fc: fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. flexVolume: flexVolume represents a generic volume resource that is provisioned/attached using an exec - based plugin. + based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. flocker: flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the - pod for its usage. This depends on the Flocker control service being running + pod for its usage. This depends on the Flocker control service being running. Deprecated: Flocker + is deprecated and the in-tree flocker type is no longer supported. gcePersistentDisk: gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's - host machine and then exposed to the pod. Provisioned by an admin. + host machine and then exposed to the pod. Provisioned by an admin. Deprecated: GCEPersistentDisk + is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the + pd.csi.storage.gke.io CSI driver. glusterfs: glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. - Provisioned by an admin. + Provisioned by an admin. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no + longer supported. hostPath: hostPath represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. @@ -513,25 +524,35 @@ class PersistentVolumeSpec(K8sSpec): PersistentVolumes), Delete (default for dynamically provisioned PersistentVolumes), and Recycle (deprecated). Recycle must be supported by the volume plugin underlying this PersistentVolume. photonPersistentDisk: photonPersistentDisk represents a PhotonController persistent disk attached and - mounted on kubelets host machine + mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree + photonPersistentDisk type is no longer supported. portworxVolume: portworxVolume represents a portworx volume attached and mounted on kubelets host - machine - quobyte: quobyte represents a Quobyte mount on the host that shares a pod's lifetime - rbd: rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume + type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate + is on. + quobyte: quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: + Quobyte is deprecated and the in-tree quobyte type is no longer supported. + rbd: rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: + RBD is deprecated and the in-tree rbd type is no longer supported. scaleIO: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. storageClassName: storageClassName is the name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass. storageos: storageOS represents a StorageOS volume that is attached to the kubelet's host machine and - mounted into the pod + mounted into the pod. Deprecated: StorageOS is deprecated and the in-tree storageos type is no + longer supported. volumeAttributesClassName: Name of VolumeAttributesClass to which this persistent volume belongs. Empty value is not allowed. When this field is not set, it indicates that this volume does not belong to any VolumeAttributesClass. This field is mutable and can be changed by the CSI driver after a volume has been updated successfully to a new class. For an unbound PersistentVolume, the volumeAttributesClassName will be matched with unbound PersistentVolumeClaims during the binding - process. This is an alpha field and requires enabling VolumeAttributesClass feature. + process. This is a beta field and requires enabling VolumeAttributesClass feature (off by + default). volumeMode: volumeMode defines if a volume is intended to be used with a formatted filesystem or to remain in raw block state. Value of Filesystem is implied when not included in spec. - vsphereVolume: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + vsphereVolume: vsphereVolume represents a vSphere volume attached and mounted on kubelets host + machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume + type are redirected to the csi.vsphere.vmware.com CSI driver. """ @@ -844,6 +865,24 @@ class Affinity(K8sSpec): podAntiAffinity: Optional[PodAntiAffinity] = None +@dataclass +class AppArmorProfile(K8sSpec): + """AppArmorProfile defines a pod or container's AppArmor settings. + + Attributes: + localhostProfile: localhostProfile indicates a profile loaded on the node that should be used. The + profile must be preconfigured on the node to work. Must match the loaded name of the profile. Must + be set if and only if type is 'Localhost'. + type: type indicates which kind of AppArmor profile will be applied. Valid options are: Localhost - + a profile pre-loaded on the node. RuntimeDefault - the container runtime's default profile. + Unconfined - no AppArmor enforcement. + + """ + + type: str + localhostProfile: Optional[str] = None + + @dataclass class AzureFileVolumeSource(K8sSpec): """AzureFile represents an Azure File Service mount on the host and bind mount to the pod. @@ -950,28 +989,6 @@ class CinderVolumeSource(K8sSpec): secretRef: Optional[LocalObjectReference] = None -@dataclass -class ClaimSource(K8sSpec): - """ClaimSource describes a reference to a ResourceClaim. Exactly one of these fields should be set. - Consumers of this type must treat an empty object as if it has an unknown value. - - Attributes: - resourceClaimName: ResourceClaimName is the name of a ResourceClaim object in the same namespace as - this pod. - resourceClaimTemplateName: ResourceClaimTemplateName is the name of a ResourceClaimTemplate object in - the same namespace as this pod. The template will be used to create a new ResourceClaim, which - will be bound to this pod. When this pod is deleted, the ResourceClaim will also be deleted. The - pod name and resource name, along with a generated component, will be used to form a unique name - for the ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses. This field is - immutable and no changes will be made to the corresponding ResourceClaim by the control plane - after creating the ResourceClaim. - - """ - - resourceClaimName: Optional[str] = None - resourceClaimTemplateName: Optional[str] = None - - @dataclass class ClusterTrustBundleProjection(K8sSpec): """ClusterTrustBundleProjection describes how to select a set of ClusterTrustBundle objects and project @@ -993,7 +1010,7 @@ class ClusterTrustBundleProjection(K8sSpec): """ path: str - labelSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + labelSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None name: Optional[str] = None optional: Optional[bool] = None signerName: Optional[str] = None @@ -1005,7 +1022,8 @@ class ConfigMapEnvSource(K8sSpec): the target ConfigMap's Data field will represent the key-value pairs as environment variables. Attributes: - name: Name of the referent. + name: Name of the referent. This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. optional: Specify whether the ConfigMap must be defined """ @@ -1020,7 +1038,8 @@ class ConfigMapKeySelector(K8sSpec): Attributes: key: The key to select. - name: Name of the referent. + name: Name of the referent. This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. optional: Specify whether the ConfigMap or its key must be defined """ @@ -1043,7 +1062,8 @@ class ConfigMapProjection(K8sSpec): the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - name: Name of the referent. + name: Name of the referent. This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. optional: optional specify whether the ConfigMap or its keys must be defined """ @@ -1071,7 +1091,8 @@ class ConfigMapVolumeSource(K8sSpec): the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - name: Name of the referent. + name: Name of the referent. This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. optional: optional specify whether the ConfigMap or its keys must be defined """ @@ -1252,7 +1273,7 @@ class DownwardAPIProjection(K8sSpec): class DownwardAPIVolumeFile(K8sSpec): """DownwardAPIVolumeFile represents information to create the file containing the pod field Attributes: - fieldRef: Required: Selects a field of the pod: only annotations, labels, name and namespace are + fieldRef: Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported. mode: Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON @@ -1309,15 +1330,15 @@ class EmptyDirVolumeSource(K8sSpec): """ medium: Optional[str] = None - sizeLimit: Optional[gybe.k8s.v1_29.api.resource.Quantity] = None + sizeLimit: Optional[gybe.k8s.v1_33.api.resource.Quantity] = None @dataclass class EnvFromSource(K8sSpec): - """EnvFromSource represents the source of a set of ConfigMaps + """EnvFromSource represents the source of a set of ConfigMaps or Secrets Attributes: configMapRef: The ConfigMap to select from - prefix: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + prefix: Optional text to prepend to the name of each environment variable. Must be a C_IDENTIFIER. secretRef: The Secret to select from """ @@ -1543,7 +1564,7 @@ class FlexVolumeSource(K8sSpec): @dataclass class GRPCAction(K8sSpec): - """Schema model io.k8s.api.core.v1.GRPCAction. + """GRPCAction specifies an action involving a GRPC service. Attributes: port: Port number of the gRPC service. Number must be in the range 1 to 65535. @@ -1643,8 +1664,8 @@ class HostAlias(K8sSpec): """ + ip: str hostnames: Optional[List[str]] = None - ip: Optional[str] = None @dataclass @@ -1687,6 +1708,27 @@ class ISCSIVolumeSource(K8sSpec): secretRef: Optional[LocalObjectReference] = None +@dataclass +class ImageVolumeSource(K8sSpec): + """ImageVolumeSource represents a image volume resource. + + Attributes: + pullPolicy: Policy for pulling OCI objects. Possible values are: Always: the kubelet always attempts + to pull the reference. Container creation will fail If the pull fails. Never: the kubelet never + pulls the reference and only uses a local image or artifact. Container creation will fail if the + reference isn't present. IfNotPresent: the kubelet pulls if the reference isn't already present on + disk. Container creation will fail if the reference isn't present and the pull fails. Defaults to + Always if :latest tag is specified, or IfNotPresent otherwise. + reference: Required: Image or artifact reference to be used. Behaves in the same way as + pod.spec.containers[*].image. Pull secrets will be assembled in the same way as for the container + image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + + """ + + pullPolicy: Optional[str] = None + reference: Optional[str] = None + + @dataclass class KeyToPath(K8sSpec): """Maps a string key to a path within a volume. @@ -1725,11 +1767,15 @@ class Lifecycle(K8sSpec): the container will eventually terminate within the Pod's termination grace period (unless delayed by finalizers). Other management of the container blocks until the hook completes or until the termination grace period is reached. + stopSignal: StopSignal defines which signal will be sent to a container when it is being stopped. If + not specified, the default is defined by the container runtime in use. StopSignal can only be set + for Pods with a non-empty .spec.os.name """ postStart: Optional[LifecycleHandler] = None preStop: Optional[LifecycleHandler] = None + stopSignal: Optional[str] = None @dataclass @@ -1738,12 +1784,12 @@ class LifecycleHandler(K8sSpec): of the fields, except TCPSocket must be specified. Attributes: - exec: Exec specifies the action to take. - httpGet: HTTPGet specifies the http request to perform. - sleep: Sleep represents the duration that the container should sleep before being terminated. - tcpSocket: Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for the backward - compatibility. There are no validation of this field and lifecycle hooks will fail in runtime when - tcp handler is specified. + exec: Exec specifies a command to execute in the container. + httpGet: HTTPGet specifies an HTTP GET request to perform. + sleep: Sleep represents a duration that the container should sleep. + tcpSocket: Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept for backward + compatibility. There is no validation of this field and lifecycle hooks will fail at runtime when + it is specified. """ @@ -1759,7 +1805,8 @@ class LocalObjectReference(K8sSpec): same namespace. Attributes: - name: Name of the referent. + name: Name of the referent. This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. """ @@ -1840,7 +1887,7 @@ class PersistentVolumeClaim(K8sResource): apiVersion: Literal['v1'] = 'v1' kind: Literal['PersistentVolumeClaim'] = 'PersistentVolumeClaim' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[PersistentVolumeClaimSpec] = None status: Optional[PersistentVolumeClaimStatus] = None @@ -1854,10 +1901,10 @@ class PersistentVolumeClaimCondition(K8sSpec): another. message: message is the human-readable message indicating details about last transition. reason: reason is a unique, this should be a short, machine understandable string that gives the - reason for condition's last transition. If it reports 'ResizeStarted' that means the underlying + reason for condition's last transition. If it reports 'Resizing' that means the underlying persistent volume is being resized. - status: ... - type: ... + status: Status is the status of the condition. Can be True, False, Unknown. + type: Type is the type of the condition. """ @@ -1924,7 +1971,7 @@ class PersistentVolumeClaimSpec(K8sSpec): dataSource: Optional[TypedLocalObjectReference] = None dataSourceRef: Optional[TypedObjectReference] = None resources: Optional[VolumeResourceRequirements] = None - selector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + selector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None storageClassName: Optional[str] = None volumeAttributesClassName: Optional[str] = None volumeMode: Optional[str] = None @@ -1978,14 +2025,14 @@ class PersistentVolumeClaimStatus(K8sSpec): enabling RecoverVolumeExpansionFailure feature. capacity: capacity represents the actual resources of the underlying volume. conditions: conditions is the current Condition of persistent volume claim. If underlying persistent - volume is being resized then the Condition will be set to 'ResizeStarted'. + volume is being resized then the Condition will be set to 'Resizing'. currentVolumeAttributesClassName: currentVolumeAttributesClassName is the current name of the VolumeAttributesClass the PVC is using. When unset, there is no VolumeAttributeClass applied to - this PersistentVolumeClaim This is an alpha field and requires enabling VolumeAttributesClass - feature. + this PersistentVolumeClaim This is a beta field and requires enabling VolumeAttributesClass + feature (off by default). modifyVolumeStatus: ModifyVolumeStatus represents the status object of ControllerModifyVolume - operation. When this is unset, there is no ModifyVolume operation being attempted. This is an - alpha field and requires enabling VolumeAttributesClass feature. + operation. When this is unset, there is no ModifyVolume operation being attempted. This is a beta + field and requires enabling VolumeAttributesClass feature (off by default). phase: phase represents the current phase of PersistentVolumeClaim. """ @@ -2015,7 +2062,7 @@ class PersistentVolumeClaimTemplate(K8sSpec): """ spec: PersistentVolumeClaimSpec - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None @dataclass @@ -2072,20 +2119,18 @@ class PodAffinityTerm(K8sSpec): PodAffinityTerm matches with no Pods. matchLabelKeys: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value - labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods + labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key - is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set - when LabelSelector isn't set. This is an alpha field and requires enabling - MatchLabelKeysInPodAffinity feature gate. + is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set + when labelSelector isn't set. mismatchLabelKeys: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key- - value labels are merged with `LabelSelector` as `key notin (value)` to select the group of + value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is - empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, - MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires - enabling MatchLabelKeysInPodAffinity feature gate. + empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, + mismatchLabelKeys cannot be set when labelSelector isn't set. namespaceSelector: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means 'this pod's namespace'. An @@ -2102,10 +2147,10 @@ class PodAffinityTerm(K8sSpec): """ topologyKey: str - labelSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + labelSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None matchLabelKeys: Optional[List[str]] = None mismatchLabelKeys: Optional[List[str]] = None - namespaceSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + namespaceSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None namespaces: Optional[List[str]] = None @@ -2160,8 +2205,8 @@ class PodDNSConfigOption(K8sSpec): """PodDNSConfigOption defines DNS resolver options of a pod. Attributes: - name: Required. - value: ... + name: Name is this DNS resolver option's name. Required. + value: Value is this DNS resolver option's value. """ @@ -2198,18 +2243,29 @@ class PodReadinessGate(K8sSpec): @dataclass class PodResourceClaim(K8sSpec): - """PodResourceClaim references exactly one ResourceClaim through a ClaimSource. It adds a name to it that - uniquely identifies the ResourceClaim inside the Pod. Containers that need access to the ResourceClaim - reference it with this name. + """PodResourceClaim references exactly one ResourceClaim, either directly or by naming a + ResourceClaimTemplate which is then turned into a ResourceClaim for the pod. It adds a name to it + that uniquely identifies the ResourceClaim inside the Pod. Containers that need access to the + ResourceClaim reference it with this name. Attributes: name: Name uniquely identifies this resource claim inside the pod. This must be a DNS_LABEL. - source: Source describes where to find the ResourceClaim. + resourceClaimName: ResourceClaimName is the name of a ResourceClaim object in the same namespace as + this pod. Exactly one of ResourceClaimName and ResourceClaimTemplateName must be set. + resourceClaimTemplateName: ResourceClaimTemplateName is the name of a ResourceClaimTemplate object in + the same namespace as this pod. The template will be used to create a new ResourceClaim, which + will be bound to this pod. When this pod is deleted, the ResourceClaim will also be deleted. The + pod name and resource name, along with a generated component, will be used to form a unique name + for the ResourceClaim, which will be recorded in pod.status.resourceClaimStatuses. This field is + immutable and no changes will be made to the corresponding ResourceClaim by the control plane + after creating the ResourceClaim. Exactly one of ResourceClaimName and ResourceClaimTemplateName + must be set. """ name: str - source: Optional[ClaimSource] = None + resourceClaimName: Optional[str] = None + resourceClaimTemplateName: Optional[str] = None @dataclass @@ -2231,6 +2287,8 @@ class PodSecurityContext(K8sSpec): over field values of PodSecurityContext. Attributes: + appArmorProfile: appArmorProfile is the AppArmor options to use by the containers in this pod. Note + that this field cannot be set when spec.os.name is windows. fsGroup: A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) @@ -2255,6 +2313,23 @@ class PodSecurityContext(K8sSpec): metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows. + seLinuxChangePolicy: seLinuxChangePolicy defines how the container's SELinux label is applied to all + volumes used by the Pod. It has no effect on nodes that do not support SELinux or to volumes does + not support SELinux. Valid values are 'MountOption' and 'Recursive'. 'Recursive' means relabeling + of all files on all Pod volumes by the container runtime. This may be slow for large volumes, but + allows mixing privileged and unprivileged Pods sharing the same volume on the same node. + 'MountOption' mounts all eligible Pod volumes with `-o context` mount option. This requires all + Pods that share the same volume to use the same SELinux label. It is not possible to share the + same volume among privileged and unprivileged Pods. Eligible volumes are in-tree FibreChannel and + iSCSI volumes, and all CSI volumes whose CSI driver announces SELinux support by setting + spec.seLinuxMount: true in their CSIDriver instance. Other volumes are always re-labelled + recursively. 'MountOption' value is allowed only when SELinuxMount feature gate is enabled. If + not specified and SELinuxMount feature gate is enabled, 'MountOption' is used. If not specified + and SELinuxMount feature gate is disabled, 'MountOption' is used for ReadWriteOncePod volumes and + 'Recursive' for all other volumes. This field affects only Pods that have SELinux label set, + either in PodSecurityContext or in SecurityContext of all containers. All Pods that use the same + volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in + ContainerCreating state. Note that this field cannot be set when spec.os.name is windows. seLinuxOptions: The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in @@ -2263,11 +2338,17 @@ class PodSecurityContext(K8sSpec): seccompProfile: The seccomp options to use by the containers in this pod. Note that this field cannot be set when spec.os.name is windows. supplementalGroups: A list of groups applied to the first process run in each container, in addition - to the container's primary GID, the fsGroup (if specified), and group memberships defined in the - container image for the uid of the container process. If unspecified, no additional groups are - added to any container. Note that group memberships defined in the container image for the uid of - the container process are still effective, even if they are not included in this list. Note that - this field cannot be set when spec.os.name is windows. + to the container's primary GID and fsGroup (if specified). If the SupplementalGroupsPolicy + feature is enabled, the supplementalGroupsPolicy field determines whether these are in addition to + or instead of any group memberships defined in the container image. If unspecified, no additional + groups are added, though group memberships defined in the container image may still be used, + depending on the supplementalGroupsPolicy field. Note that this field cannot be set when + spec.os.name is windows. + supplementalGroupsPolicy: Defines how supplemental groups of the first container processes are + calculated. Valid values are 'Merge' and 'Strict'. If not specified, 'Merge' is used. (Alpha) + Using the field requires the SupplementalGroupsPolicy feature gate to be enabled and the container + runtime must implement support for this feature. Note that this field cannot be set when + spec.os.name is windows. sysctls: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows. @@ -2278,14 +2359,17 @@ class PodSecurityContext(K8sSpec): """ + appArmorProfile: Optional[AppArmorProfile] = None fsGroup: Optional[int] = None fsGroupChangePolicy: Optional[str] = None runAsGroup: Optional[int] = None runAsNonRoot: Optional[bool] = None runAsUser: Optional[int] = None + seLinuxChangePolicy: Optional[str] = None seLinuxOptions: Optional[SELinuxOptions] = None seccompProfile: Optional[SeccompProfile] = None supplementalGroups: Optional[List[int]] = None + supplementalGroupsPolicy: Optional[str] = None sysctls: Optional[List[Sysctl]] = None windowsOptions: Optional[WindowsSecurityContextOptions] = None @@ -2316,7 +2400,7 @@ class PodSpec(K8sSpec): when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. hostAliases: HostAliases is an optional list of hosts and IPs that will be injected into the pod's - hosts file if specified. This is only valid for non-hostNetwork pods. + hosts file if specified. hostIPC: Use the host's ipc namespace. Optional: Default to false. hostNetwork: Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false. @@ -2339,21 +2423,26 @@ class PodSpec(K8sSpec): normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each - resource type, and then using the max of of that value or the sum of the normal containers. Limits + resource type, and then using the max of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. - nodeName: NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the - scheduler simply schedules this pod onto that node, assuming that it fits resource requirements. + nodeName: NodeName indicates in which node this pod is scheduled. If empty, this pod is a candidate + for scheduling by the scheduler defined in schedulerName. Once this field is set, the kubelet for + this node becomes responsible for the lifecycle of this pod. This field should not be used to + express a desire for the pod to be scheduled on a specific node. + https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodename nodeSelector: NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. os: Specifies the OS of the containers in the pod. Some pod and container fields are restricted if this is set. If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions If the OS field is set to windows, following fields must be - unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.seLinuxOptions - - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions - + unset: - spec.hostPID - spec.hostIPC - spec.hostUsers - spec.securityContext.appArmorProfile - + spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - + spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - + spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - + spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - + spec.securityContext.supplementalGroupsPolicy - spec.containers[*].securityContext.appArmorProfile + - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - @@ -2385,6 +2474,11 @@ class PodSpec(K8sSpec): Pod is allowed to start. The resources will be made available to those containers which consume them by name. This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. This field is immutable. + resources: Resources is the total amount of CPU and Memory resources required by all containers in the + pod. It supports specifying Requests and Limits for 'cpu' and 'memory' resource names only. + ResourceClaims are not supported. This field enables fine-grained control over resource + allocation for the entire pod, allowing resource sharing among containers in a pod. This is an + alpha field and requires enabling the PodLevelResources feature gate. restartPolicy: Restart policy for all containers within the pod. One of Always, OnFailure, Never. In some contexts, only a subset of those values may be permitted. Default to Always. runtimeClassName: RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which @@ -2396,19 +2490,18 @@ class PodSpec(K8sSpec): schedulingGates: SchedulingGates is an opaque list of values that if specified will block scheduling the pod. If schedulingGates is not empty, the pod will stay in the SchedulingGated state and the scheduler will not attempt to schedule the pod. SchedulingGates can only be set at pod creation - time, and be removed only afterwards. This is a beta feature enabled by the - PodSchedulingReadiness feature gate. + time, and be removed only afterwards. securityContext: SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field. - serviceAccount: DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: - Use serviceAccountName instead. + serviceAccount: DeprecatedServiceAccount is a deprecated alias for ServiceAccountName. Deprecated: Use + serviceAccountName instead. serviceAccountName: ServiceAccountName is the name of the ServiceAccount to use to run this pod. setHostnameAsFQDN: If true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). In Windows containers, this means setting the registry value of hostname for the registry key - HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters to FQDN. If a pod does not - have FQDN, this has no effect. Default to false. + HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters to FQDN. If a pod does + not have FQDN, this has no effect. Default to false. shareProcessNamespace: Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and @@ -2455,6 +2548,7 @@ class PodSpec(K8sSpec): priorityClassName: Optional[str] = None readinessGates: Optional[List[PodReadinessGate]] = None resourceClaims: Optional[List[PodResourceClaim]] = None + resources: Optional[ResourceRequirements] = None restartPolicy: Optional[str] = None runtimeClassName: Optional[str] = None schedulerName: Optional[str] = None @@ -2480,7 +2574,7 @@ class PodTemplateSpec(K8sSpec): """ - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[PodSpec] = None @@ -2505,17 +2599,17 @@ class Probe(K8sSpec): ready to receive traffic. Attributes: - exec: Exec specifies the action to take. + exec: Exec specifies a command to execute in the container. failureThreshold: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - grpc: GRPC specifies an action involving a GRPC port. - httpGet: HTTPGet specifies the http request to perform. + grpc: GRPC specifies a GRPC HealthCheckRequest. + httpGet: HTTPGet specifies an HTTP GET request to perform. initialDelaySeconds: Number of seconds after the container has started before liveness probes are initiated. periodSeconds: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. successThreshold: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - tcpSocket: TCPSocket specifies an action involving a TCP port. + tcpSocket: TCPSocket specifies a connection to a TCP port. terminationGracePeriodSeconds: Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill @@ -2551,7 +2645,7 @@ class ProjectedVolumeSource(K8sSpec): octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. - sources: sources is the list of volume projections + sources: sources is the list of volume projections. Each entry in this list handles one source. """ @@ -2596,10 +2690,13 @@ class ResourceClaim(K8sSpec): Attributes: name: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + request: Request is the name chosen for a request in the referenced claim. If empty, everything from + the claim is made available, otherwise only the result of this request. """ name: str + request: Optional[str] = None @dataclass @@ -2614,7 +2711,7 @@ class ResourceFieldSelector(K8sSpec): resource: str containerName: Optional[str] = None - divisor: Optional[gybe.k8s.v1_29.api.resource.Quantity] = None + divisor: Optional[gybe.k8s.v1_33.api.resource.Quantity] = None @dataclass @@ -2714,7 +2811,8 @@ class SecretEnvSource(K8sSpec): target Secret's Data field will represent the key-value pairs as environment variables. Attributes: - name: Name of the referent. + name: Name of the referent. This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. optional: Specify whether the Secret must be defined """ @@ -2729,7 +2827,8 @@ class SecretKeySelector(K8sSpec): Attributes: key: The key of the secret to select from. Must be a valid secret key. - name: Name of the referent. + name: Name of the referent. This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. optional: Specify whether the Secret or its key must be defined """ @@ -2751,7 +2850,8 @@ class SecretProjection(K8sSpec): the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - name: Name of the referent. + name: Name of the referent. This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. optional: optional field specify whether the Secret or its key must be defined """ @@ -2800,16 +2900,19 @@ class SecurityContext(K8sSpec): than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows. + appArmorProfile: appArmorProfile is the AppArmor options to use by this container. If set, this + profile overrides the pod's appArmorProfile. Note that this field cannot be set when spec.os.name + is windows. capabilities: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows. privileged: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows. - procMount: procMount denotes the type of proc mount to use for the containers. The default is - DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. - This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set - when spec.os.name is windows. + procMount: procMount denotes the type of proc mount to use for the containers. The default value is + Default which uses the container runtime defaults for readonly paths and masked paths. This + requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when + spec.os.name is windows. readOnlyRootFilesystem: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. runAsGroup: The GID to run the entrypoint of the container process. Uses runtime default if unset. May @@ -2840,6 +2943,7 @@ class SecurityContext(K8sSpec): """ allowPrivilegeEscalation: Optional[bool] = None + appArmorProfile: Optional[AppArmorProfile] = None capabilities: Optional[Capabilities] = None privileged: Optional[bool] = None procMount: Optional[str] = None @@ -2981,20 +3085,16 @@ class TopologySpreadConstraint(K8sSpec): zone3 | | P P | P P | P P | The number of domains is less than 5(MinDomains), so 'global minimum' is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three - zones, it will violate MaxSkew. This is a beta field and requires the - MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default). + zones, it will violate MaxSkew. nodeAffinityPolicy: NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. If this value is nil, the behavior is - equivalent to the Honor policy. This is a beta-level feature default enabled by the - NodeInclusionPolicyInPodTopologySpread feature flag. + equivalent to the Honor policy. nodeTaintsPolicy: NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All - nodes are included. If this value is nil, the behavior is equivalent to the Ignore policy. This - is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature - flag. + nodes are included. If this value is nil, the behavior is equivalent to the Ignore policy. topologyKey: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a 'bucket', and try to put balanced number of pods into each bucket. We define a domain as a @@ -3019,7 +3119,7 @@ class TopologySpreadConstraint(K8sSpec): maxSkew: int topologyKey: str whenUnsatisfiable: str - labelSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + labelSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None matchLabelKeys: Optional[List[str]] = None minDomains: Optional[int] = None nodeAffinityPolicy: Optional[str] = None @@ -3047,8 +3147,7 @@ class TypedLocalObjectReference(K8sSpec): @dataclass class TypedObjectReference(K8sSpec): - """Schema model io.k8s.api.core.v1.TypedObjectReference. - + """TypedObjectReference contains enough information to let you locate the typed referenced object Attributes: apiGroup: APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is @@ -3075,14 +3174,23 @@ class Volume(K8sSpec): Attributes: awsElasticBlockStore: awsElasticBlockStore represents an AWS Disk resource that is attached to a - kubelet's host machine and then exposed to the pod. + kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is + deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the + ebs.csi.aws.com CSI driver. azureDisk: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected + to the disk.csi.azure.com CSI driver. azureFile: azureFile represents an Azure File Service mount on the host and bind mount to the pod. - cephfs: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime - cinder: cinder represents a cinder volume attached and mounted on kubelets host machine. + Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected + to the file.csi.azure.com CSI driver. + cephfs: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS + is deprecated and the in-tree cephfs type is no longer supported. + cinder: cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: + Cinder is deprecated. All operations for the in-tree cinder type are redirected to the + cinder.csi.openstack.org CSI driver. configMap: configMap represents a configMap that should populate this volume csi: csi (Container Storage Interface) represents ephemeral storage that is handled by certain - external CSI drivers (Beta feature). + external CSI drivers. downwardAPI: downwardAPI represents downward API about the pod that should populate this volume emptyDir: emptyDir represents a temporary directory that shares a pod's lifetime. ephemeral: ephemeral represents a volume that is handled by a cluster storage driver. The volume's @@ -3099,18 +3207,40 @@ class Volume(K8sSpec): fc: fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. flexVolume: flexVolume represents a generic volume resource that is provisioned/attached using an exec - based plugin. + based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. flocker: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the - Flocker control service being running + Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker + type is no longer supported. gcePersistentDisk: gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's - host machine and then exposed to the pod. - gitRepo: gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is + host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All + operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI + driver. + gitRepo: gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container. glusterfs: glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. hostPath: hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. + image: image represents an OCI object (a container image or artifact) pulled and mounted on the + kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value + is provided: - Always: the kubelet always attempts to pull the reference. Container creation will + fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image + or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the + kubelet pulls if the reference isn't already present on disk. Container creation will fail if the + reference isn't present and the pull fails. The volume gets re-resolved if the pod gets deleted + and recreated, which means that new remote content will become available on pod recreation. A + failure to resolve or pull the image during pod startup will block containers from starting and + may add significant latency. Failures will be retried using normal volume backoff and will be + reported on the pod reason and message. The types of objects that may be mounted by this volume + are defined by the container runtime implementation on a host machine and at minimum must include + all valid types supported by the container image field. The OCI object gets mounted in a single + directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same + way as for container images. The volume will be mounted read-only (ro) and non-executable files + (noexec). Sub path mounts for containers are not supported + (spec.containers[*].volumeMounts.subpath) before 1.33. The field + spec.securityContext.fsGroupChangePolicy has no effect on this volume type. iscsi: iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. name: name of the volume. Must be a DNS_LABEL and unique within the pod. @@ -3118,16 +3248,25 @@ class Volume(K8sSpec): persistentVolumeClaim: persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. photonPersistentDisk: photonPersistentDisk represents a PhotonController persistent disk attached and - mounted on kubelets host machine + mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree + photonPersistentDisk type is no longer supported. portworxVolume: portworxVolume represents a portworx volume attached and mounted on kubelets host - machine + machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume + type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate + is on. projected: projected items for all in one resources secrets, configmaps, and downward API - quobyte: quobyte represents a Quobyte mount on the host that shares a pod's lifetime - rbd: rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + quobyte: quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: + Quobyte is deprecated and the in-tree quobyte type is no longer supported. + rbd: rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: + RBD is deprecated and the in-tree rbd type is no longer supported. scaleIO: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. secret: secret represents a secret that should populate this volume. storageos: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - vsphereVolume: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine + Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. + vsphereVolume: vsphereVolume represents a vSphere volume attached and mounted on kubelets host + machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume + type are redirected to the csi.vsphere.vmware.com CSI driver. """ @@ -3149,6 +3288,7 @@ class Volume(K8sSpec): gitRepo: Optional[GitRepoVolumeSource] = None glusterfs: Optional[GlusterfsVolumeSource] = None hostPath: Optional[HostPathVolumeSource] = None + image: Optional[ImageVolumeSource] = None iscsi: Optional[ISCSIVolumeSource] = None nfs: Optional[NFSVolumeSource] = None persistentVolumeClaim: Optional[PersistentVolumeClaimVolumeSource] = None @@ -3184,9 +3324,20 @@ class VolumeMount(K8sSpec): Attributes: mountPath: Path within the container at which the volume should be mounted. Must not contain ':'. mountPropagation: mountPropagation determines how mounts are propagated from the host to container and - the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. + the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. When + RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified + (which defaults to None). name: This must match the Name of a Volume. readOnly: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + recursiveReadOnly: RecursiveReadOnly specifies whether read-only mounts should be handled recursively. + If ReadOnly is false, this field has no meaning and must be unspecified. If ReadOnly is true, and + this field is set to Disabled, the mount is not made recursively read-only. If this field is set + to IfPossible, the mount is made recursively read-only, if it is supported by the container + runtime. If this field is set to Enabled, the mount is made recursively read-only if it is + supported by the container runtime, otherwise the pod will not be started and an error will be + generated to indicate the reason. If this field is set to IfPossible or Enabled, MountPropagation + must be set to None (or be unspecified, which defaults to None). If this field is not specified, + it is treated as an equivalent of Disabled. subPath: Path within the volume from which the container's volume should be mounted. Defaults to '' (volume's root). subPathExpr: Expanded path within the volume from which the container's volume should be mounted. @@ -3200,13 +3351,16 @@ class VolumeMount(K8sSpec): mountPath: str mountPropagation: Optional[str] = None readOnly: Optional[bool] = None + recursiveReadOnly: Optional[str] = None subPath: Optional[str] = None subPathExpr: Optional[str] = None @dataclass class VolumeProjection(K8sSpec): - """Projection that may be projected along with other supported volume types + """Projection that may be projected along with other supported volume types. Exactly one of these fields + must be set. + Attributes: clusterTrustBundle: ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field of ClusterTrustBundle objects in an auto-updating file. Alpha, gated by the @@ -3301,8 +3455,7 @@ class AttachedVolume(K8sSpec): @dataclass class Binding(K8sResource): - """Binding ties one object to another; for example, a pod is bound to a node by a scheduler. Deprecated - in 1.7, please use the bindings subresource of pods instead. + """Binding ties one object to another; for example, a pod is bound to a node by a scheduler. Attributes: apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers @@ -3318,7 +3471,7 @@ class Binding(K8sResource): target: ObjectReference apiVersion: Literal['v1'] = 'v1' kind: Literal['Binding'] = 'Binding' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None @dataclass @@ -3372,7 +3525,7 @@ class ComponentStatus(K8sResource): apiVersion: Literal['v1'] = 'v1' kind: Literal['ComponentStatus'] = 'ComponentStatus' conditions: Optional[List[ComponentCondition]] = None - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None @dataclass @@ -3405,7 +3558,7 @@ class ConfigMap(K8sResource): binaryData: Optional[JSONDict] = None data: Optional[JSONDict] = None immutable: Optional[bool] = None - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None @dataclass @@ -3522,6 +3675,8 @@ class ContainerStatus(K8sSpec): allocatedResources: AllocatedResources represents the compute resources allocated for this container by the node. Kubelet sets this value to Container.Resources.Requests upon successful pod admission and after successfully admitting desired pod resize. + allocatedResourcesStatus: AllocatedResourcesStatus represents the status of various resources + allocated for this Pod. containerID: ContainerID is the ID of the container in the format '://'. Where type is a container runtime identifier, returned from Version call of CRI API (for example 'containerd'). @@ -3550,6 +3705,10 @@ class ContainerStatus(K8sSpec): is running and has passed the postStart lifecycle hook. The null value must be treated the same as false. state: State holds details about the container's current condition. + stopSignal: StopSignal reports the effective stop signal for this container + user: User represents user identity information initially attached to the first process of the + container + volumeMounts: Status of volume mounts. """ @@ -3559,11 +3718,28 @@ class ContainerStatus(K8sSpec): image: str imageID: str allocatedResources: Optional[JSONDict] = None + allocatedResourcesStatus: Optional[List[ResourceStatus]] = None containerID: Optional[str] = None lastState: Optional[ContainerState] = None resources: Optional[ResourceRequirements] = None started: Optional[bool] = None state: Optional[ContainerState] = None + stopSignal: Optional[str] = None + user: Optional[ContainerUser] = None + volumeMounts: Optional[List[VolumeMountStatus]] = None + + +@dataclass +class ContainerUser(K8sSpec): + """ContainerUser represents user identity information + Attributes: + linux: Linux holds user identity information initially attached to the first process of the containers + in Linux. Note that the actual running identity can be changed if the process has enough privilege + to do so. + + """ + + linux: Optional[LinuxContainerUser] = None @dataclass @@ -3580,7 +3756,8 @@ class DaemonEndpoint(K8sSpec): @dataclass class EndpointAddress(K8sSpec): - """EndpointAddress is a tuple that describes single IP address. + """EndpointAddress is a tuple that describes single IP address. Deprecated: This API is deprecated in + v1.33+. Attributes: hostname: The Hostname of this endpoint @@ -3600,7 +3777,7 @@ class EndpointAddress(K8sSpec): @dataclass class EndpointPort(K8sSpec): - """EndpointPort is a tuple that describes a single port. + """EndpointPort is a tuple that describes a single port. Deprecated: This API is deprecated in v1.33+. Attributes: appProtocol: The application protocol for this port. This is used as a hint for implementations to @@ -3632,7 +3809,8 @@ class EndpointSubset(K8sSpec): the Cartesian product of Addresses x Ports. For example, given: { Addresses: [{'ip': '10.10.1.1'}, {'ip': '10.10.2.2'}], Ports: [{'name': 'a', 'port': 8675}, {'name': 'b', 'port': 309}] } The resulting set of endpoints can be viewed as: a: [ - 10.10.1.1:8675, 10.10.2.2:8675 ], b: [ 10.10.1.1:309, 10.10.2.2:309 ] + 10.10.1.1:8675, 10.10.2.2:8675 ], b: [ 10.10.1.1:309, 10.10.2.2:309 ] Deprecated: This API is + deprecated in v1.33+. Attributes: addresses: IP addresses which offer the related ports that are marked as ready. These endpoints should @@ -3655,7 +3833,10 @@ class Endpoints(K8sResource): 'mysvc', Subsets: [ { Addresses: [{'ip': '10.10.1.1'}, {'ip': '10.10.2.2'}], Ports: [{'name': 'a', 'port': 8675}, {'name': 'b', 'port': 309}] }, { Addresses: [{'ip': '10.10.3.3'}], Ports: [{'name': 'a', - 'port': 93}, {'name': 'b', 'port': 76}] }, ] + 'port': 93}, {'name': 'b', 'port': 76}] }, ] Endpoints is a legacy API and does + not contain information about all Service features. Use discoveryv1.EndpointSlice for complete + information about Service endpoints. Deprecated: This API is deprecated in v1.33+. Use + discoveryv1.EndpointSlice. Attributes: apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers @@ -3675,7 +3856,7 @@ class Endpoints(K8sResource): apiVersion: Literal['v1'] = 'v1' kind: Literal['Endpoints'] = 'Endpoints' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None subsets: Optional[List[EndpointSubset]] = None @@ -3712,7 +3893,7 @@ class Event(K8sResource): """ - metadata: gybe.k8s.v1_29.meta.v1.ObjectMeta + metadata: gybe.k8s.v1_33.meta.v1.ObjectMeta involvedObject: ObjectReference apiVersion: Literal['v1'] = 'v1' kind: Literal['Event'] = 'Event' @@ -3755,7 +3936,7 @@ class HostIP(K8sSpec): """ - ip: Optional[str] = None + ip: str @dataclass @@ -3775,7 +3956,7 @@ class LimitRange(K8sResource): apiVersion: Literal['v1'] = 'v1' kind: Literal['LimitRange'] = 'LimitRange' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[LimitRangeSpec] = None @@ -3816,6 +3997,22 @@ class LimitRangeSpec(K8sSpec): limits: List[LimitRangeItem] +@dataclass +class LinuxContainerUser(K8sSpec): + """LinuxContainerUser represents user identity information in Linux containers + Attributes: + gid: GID is the primary gid initially attached to the first process in the container + supplementalGroups: SupplementalGroups are the supplemental groups initially attached to the first + process in the container + uid: UID is the primary uid initially attached to the first process in the container + + """ + + uid: int + gid: int + supplementalGroups: Optional[List[int]] = None + + @dataclass class LoadBalancerIngress(K8sSpec): """LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the @@ -3873,7 +4070,7 @@ class Namespace(K8sResource): apiVersion: Literal['v1'] = 'v1' kind: Literal['Namespace'] = 'Namespace' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[NamespaceSpec] = None status: Optional[NamespaceStatus] = None @@ -3883,9 +4080,9 @@ class NamespaceCondition(K8sSpec): """NamespaceCondition contains details about state of namespace. Attributes: - lastTransitionTime: ... - message: ... - reason: ... + lastTransitionTime: Last time the condition transitioned from one status to another. + message: Human-readable message indicating details about last transition. + reason: Unique, one-word, CamelCase reason for the condition's last transition. status: Status of the condition, one of True, False, Unknown. type: Type of namespace controller condition. @@ -3945,7 +4142,7 @@ class Node(K8sResource): apiVersion: Literal['v1'] = 'v1' kind: Literal['Node'] = 'Node' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[NodeSpec] = None status: Optional[NodeStatus] = None @@ -4054,6 +4251,51 @@ class NodeDaemonEndpoints(K8sSpec): kubeletEndpoint: Optional[DaemonEndpoint] = None +@dataclass +class NodeFeatures(K8sSpec): + """NodeFeatures describes the set of features implemented by the CRI implementation. The features + contained in the NodeFeatures should depend only on the cri implementation independent of runtime + handlers. + + Attributes: + supplementalGroupsPolicy: SupplementalGroupsPolicy is set to true if the runtime supports + SupplementalGroupsPolicy and ContainerUser. + + """ + + supplementalGroupsPolicy: Optional[bool] = None + + +@dataclass +class NodeRuntimeHandler(K8sSpec): + """NodeRuntimeHandler is a set of runtime handler information. + + Attributes: + features: Supported features. + name: Runtime handler name. Empty for the default runtime handler. + + """ + + features: Optional[NodeRuntimeHandlerFeatures] = None + name: Optional[str] = None + + +@dataclass +class NodeRuntimeHandlerFeatures(K8sSpec): + """NodeRuntimeHandlerFeatures is a set of features implemented by the runtime handler. + + Attributes: + recursiveReadOnlyMounts: RecursiveReadOnlyMounts is set to true if the runtime handler supports + RecursiveReadOnlyMounts. + userNamespaces: UserNamespaces is set to true if the runtime handler supports UserNamespaces, + including for volumes. + + """ + + recursiveReadOnlyMounts: Optional[bool] = None + userNamespaces: Optional[bool] = None + + @dataclass class NodeSpec(K8sSpec): """NodeSpec describes the attributes that a node is created with. @@ -4096,9 +4338,11 @@ class NodeStatus(K8sSpec): conditions: Conditions is an array of current observed node conditions. config: Status of the config assigned to the node via the dynamic Kubelet config feature. daemonEndpoints: Endpoints of daemons running on the Node. + features: Features describes the set of features implemented by the CRI implementation. images: List of container images on this node nodeInfo: Set of ids/uuids to uniquely identify the node. phase: NodePhase is the recently observed lifecycle phase of the node. + runtimeHandlers: The available runtime handlers. volumesAttached: List of volumes that are attached to the node. volumesInUse: List of attachable volumes in use (mounted) by the node. @@ -4110,13 +4354,27 @@ class NodeStatus(K8sSpec): conditions: Optional[List[NodeCondition]] = None config: Optional[NodeConfigStatus] = None daemonEndpoints: Optional[NodeDaemonEndpoints] = None + features: Optional[NodeFeatures] = None images: Optional[List[ContainerImage]] = None nodeInfo: Optional[NodeSystemInfo] = None phase: Optional[str] = None + runtimeHandlers: Optional[List[NodeRuntimeHandler]] = None volumesAttached: Optional[List[AttachedVolume]] = None volumesInUse: Optional[List[str]] = None +@dataclass +class NodeSwapStatus(K8sSpec): + """NodeSwapStatus represents swap memory information. + + Attributes: + capacity: Total amount of swap memory in bytes. + + """ + + capacity: Optional[int] = None + + @dataclass class NodeSystemInfo(K8sSpec): """NodeSystemInfo is a set of ids/uuids to uniquely identify the node. @@ -4127,13 +4385,14 @@ class NodeSystemInfo(K8sSpec): containerRuntimeVersion: ContainerRuntime Version reported by the node through runtime remote API (e.g. containerd://1.4.2). kernelVersion: Kernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64). - kubeProxyVersion: KubeProxy Version reported by the node. + kubeProxyVersion: Deprecated: KubeProxy Version reported by the node. kubeletVersion: Kubelet Version reported by the node. machineID: MachineID reported by the node. For unique machine identification in the cluster this field is preferred. Learn more from man(5) machine-id: http://man7.org/linux/man-pages/man5/machine- id.5.html operatingSystem: The Operating System reported by the node osImage: OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)). + swap: Swap Info reported by the node. systemUUID: SystemUUID reported by the node. For unique machine identification MachineID is preferred. This field is specific to Red Hat hosts https://access.redhat.com/documentation/en- us/red_hat_subscription_management/1/html/rhsm/uuid @@ -4150,6 +4409,7 @@ class NodeSystemInfo(K8sSpec): kubeProxyVersion: str operatingSystem: str architecture: str + swap: Optional[NodeSwapStatus] = None @dataclass @@ -4172,7 +4432,7 @@ class PersistentVolume(K8sResource): apiVersion: Literal['v1'] = 'v1' kind: Literal['PersistentVolume'] = 'PersistentVolume' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[PersistentVolumeSpec] = None status: Optional[PersistentVolumeStatus] = None @@ -4183,9 +4443,7 @@ class PersistentVolumeStatus(K8sSpec): Attributes: lastPhaseTransitionTime: lastPhaseTransitionTime is the time the phase transitioned from one to - another and automatically resets to current time everytime a volume phase transitions. This is a - beta field and requires the PersistentVolumeLastPhaseTransitionTime feature to be enabled (enabled - by default). + another and automatically resets to current time everytime a volume phase transitions. message: message is a human-readable message indicating details about why the volume is in this state. phase: phase indicates if a volume is available, bound to a claim, or released by a claim. reason: reason is a brief CamelCase string that describes any failure and is meant for machine parsing @@ -4219,7 +4477,7 @@ class Pod(K8sResource): apiVersion: Literal['v1'] = 'v1' kind: Literal['Pod'] = 'Pod' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[PodSpec] = None status: Optional[PodStatus] = None @@ -4232,6 +4490,9 @@ class PodCondition(K8sSpec): lastProbeTime: Last time we probed the condition. lastTransitionTime: Last time the condition transitioned from one status to another. message: Human-readable message indicating details about last transition. + observedGeneration: If set, this represents the .metadata.generation that the pod condition was set + based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this + field. reason: Unique, one-word, CamelCase reason for the condition's last transition. status: Status is the status of the condition. Can be True, False, Unknown. type: Type is the type of the condition. @@ -4243,6 +4504,7 @@ class PodCondition(K8sSpec): lastProbeTime: Optional[str] = None lastTransitionTime: Optional[str] = None message: Optional[str] = None + observedGeneration: Optional[int] = None reason: Optional[str] = None @@ -4255,7 +4517,7 @@ class PodIP(K8sSpec): """ - ip: Optional[str] = None + ip: str @dataclass @@ -4267,7 +4529,7 @@ class PodResourceClaimStatus(K8sSpec): name: Name uniquely identifies this resource claim inside the pod. This must match the name of an entry in pod.spec.resourceClaims, which implies that the string must be a DNS_LABEL. resourceClaimName: ResourceClaimName is the name of the ResourceClaim that was generated for the Pod - in the namespace of the Pod. It this is unset, then generating a ResourceClaim was not necessary. + in the namespace of the Pod. If this is unset, then generating a ResourceClaim was not necessary. The pod.spec.resourceClaims entry can be ignored in this case. """ @@ -4283,8 +4545,16 @@ class PodStatus(K8sSpec): Attributes: conditions: Current service state of pod. - containerStatuses: The list has one entry per container in the manifest. - ephemeralContainerStatuses: Status for any ephemeral containers that have run in this pod. + containerStatuses: Statuses of containers in this pod. Each container in the pod should have at most + one status in this list, and all statuses should be for containers in the pod. However this is not + enforced. If a status for a non-existent container is present in the list, or the list has + duplicate names, the behavior of various Kubernetes components is not defined and those statuses + might be ignored. + ephemeralContainerStatuses: Statuses for any ephemeral containers that have run in this pod. Each + ephemeral container in the pod should have at most one status in this list, and all statuses + should be for containers in the pod. However this is not enforced. If a status for a non-existent + container is present in the list, or the list has duplicate names, the behavior of various + Kubernetes components is not defined and those statuses might be ignored. hostIP: hostIP holds the IP address of the host to which the pod is assigned. Empty if the pod has not started yet. A pod can be assigned to a node that has a problem in kubelet which in turns mean that HostIP will not be updated even if there is a node is assigned to pod @@ -4292,9 +4562,12 @@ class PodStatus(K8sSpec): entry must match the hostIP field. This list is empty if the pod has not started yet. A pod can be assigned to a node that has a problem in kubelet which in turns means that HostIPs will not be updated even if there is a node is assigned to this pod. - initContainerStatuses: The list has one entry per init container in the manifest. The most recent - successful init container will have ready = true, the most recently started container will have - startTime set. + initContainerStatuses: Statuses of init containers in this pod. The most recent successful non- + restartable init container will have ready = true, the most recently started container will have + startTime set. Each init container in the pod should have at most one status in this list, and all + statuses should be for containers in the pod. However this is not enforced. If a status for a non- + existent container is present in the list, or the list has duplicate names, the behavior of + various Kubernetes components is not defined and those statuses might be ignored. message: A human readable message indicating details about why the pod is in this condition. nominatedNodeName: nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. @@ -4302,6 +4575,8 @@ class PodStatus(K8sSpec): place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled. + observedGeneration: If set, this represents the .metadata.generation that the pod status was set based + upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field. phase: The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values: Pending: The @@ -4324,7 +4599,11 @@ class PodStatus(K8sSpec): reason: A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted' resize: Status of resources resize desired for pod's containers. It is empty if no resources resize is - pending. Any changes to container resources will automatically set this to 'Proposed' + pending. Any changes to container resources will automatically set this to 'Proposed' Deprecated: + Resize status is moved to two pod conditions PodResizePending and PodResizeInProgress. + PodResizePending will track states where the spec has been resized, but the Kubelet has not yet + allocated the resources. PodResizeInProgress will track in-progress resizes, and should be present + whenever allocated resources != acknowledged resources. resourceClaimStatuses: Status of resource claims. startTime: RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod. @@ -4339,6 +4618,7 @@ class PodStatus(K8sSpec): initContainerStatuses: Optional[List[ContainerStatus]] = None message: Optional[str] = None nominatedNodeName: Optional[str] = None + observedGeneration: Optional[int] = None phase: Optional[str] = None podIP: Optional[str] = None podIPs: Optional[List[PodIP]] = None @@ -4368,14 +4648,13 @@ class PodTemplate(K8sResource): apiVersion: Literal['v1'] = 'v1' kind: Literal['PodTemplate'] = 'PodTemplate' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None template: Optional[PodTemplateSpec] = None @dataclass class PortStatus(K8sSpec): - """Schema model io.k8s.api.core.v1.PortStatus. - + """PortStatus represents the error condition of a service port Attributes: error: Error is to record the problem with the service port The format of the error shall comply with the following rules: - built-in error values shall be specified in this file and those shall use @@ -4412,7 +4691,7 @@ class ReplicationController(K8sResource): apiVersion: Literal['v1'] = 'v1' kind: Literal['ReplicationController'] = 'ReplicationController' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[ReplicationControllerSpec] = None status: Optional[ReplicationControllerStatus] = None @@ -4488,6 +4767,26 @@ class ReplicationControllerStatus(K8sSpec): readyReplicas: Optional[int] = None +@dataclass +class ResourceHealth(K8sSpec): + """ResourceHealth represents the health of a resource. It has the latest device health information. This + is a part of KEP https://kep.k8s.io/4680. + + Attributes: + health: Health of the resource. can be one of: - Healthy: operates as normal - Unhealthy: reported + unhealthy. We consider this a temporary health issue since we do not have a + mechanism today to distinguish temporary and permanent issues. - Unknown: The + status cannot be determined. For example, Device Plugin got unregistered and hasn't + been re-registered since. In future we may want to introduce the PermanentlyUnhealthy Status. + resourceID: ResourceID is the unique identifier of the resource. See the ResourceID type for more + information. + + """ + + resourceID: str + health: Optional[str] = None + + @dataclass class ResourceQuota(K8sResource): """ResourceQuota sets aggregate quota restrictions enforced per namespace @@ -4508,7 +4807,7 @@ class ResourceQuota(K8sResource): apiVersion: Literal['v1'] = 'v1' kind: Literal['ResourceQuota'] = 'ResourceQuota' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[ResourceQuotaSpec] = None status: Optional[ResourceQuotaStatus] = None @@ -4546,6 +4845,27 @@ class ResourceQuotaStatus(K8sSpec): used: Optional[JSONDict] = None +@dataclass +class ResourceStatus(K8sSpec): + """ResourceStatus represents the status of a single resource allocated to a Pod. + + Attributes: + name: Name of the resource. Must be unique within the pod and in case of non-DRA resource, match one + of the resources from the pod spec. For DRA resources, the value must be + 'claim:/'. When this status is reported about a container, the 'claim_name' + and 'request' must match one of the claims of this container. + resources: List of unique resources health. Each element in the list contains an unique resource ID + and its health. At a minimum, for the lifetime of a Pod, resource ID must uniquely identify the + resource allocated to the Pod on the Node. If other Pod on the same Node reports the status with + the same resource ID, it must be the same resource they share. See ResourceID type definition for + a specific format it has in various use cases. + + """ + + name: str + resources: Optional[List[ResourceHealth]] = None + + @dataclass class ScopeSelector(K8sSpec): """A scope selector represents the AND of the selectors represented by the scoped-resource selector @@ -4609,7 +4929,7 @@ class Secret(K8sResource): kind: Literal['Secret'] = 'Secret' data: Optional[JSONDict] = None immutable: Optional[bool] = None - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None stringData: Optional[JSONDict] = None type: Optional[str] = None @@ -4635,7 +4955,7 @@ class Service(K8sResource): apiVersion: Literal['v1'] = 'v1' kind: Literal['Service'] = 'Service' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[ServiceSpec] = None status: Optional[ServiceStatus] = None @@ -4660,10 +4980,11 @@ class ServiceAccount(K8sResource): metadata: Standard object's metadata. secrets: Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. Pods are only limited to this list if this service account has - a 'kubernetes.io/enforce-mountable-secrets' annotation set to 'true'. This field should not be - used to find auto-generated service account token secrets for use outside of pods. Instead, tokens - can be requested directly using the TokenRequest API, or service account token secrets can be - manually created. + a 'kubernetes.io/enforce-mountable-secrets' annotation set to 'true'. The 'kubernetes.io/enforce- + mountable-secrets' annotation is deprecated since v1.32. Prefer separate namespaces to isolate + access to mounted secrets. This field should not be used to find auto-generated service account + token secrets for use outside of pods. Instead, tokens can be requested directly using the + TokenRequest API, or service account token secrets can be manually created. """ @@ -4671,7 +4992,7 @@ class ServiceAccount(K8sResource): kind: Literal['ServiceAccount'] = 'ServiceAccount' automountServiceAccountToken: Optional[bool] = None imagePullSecrets: Optional[List[LocalObjectReference]] = None - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None secrets: Optional[List[ObjectReference]] = None @@ -4835,6 +5156,11 @@ class ServiceSpec(K8sSpec): sessionAffinity: Supports 'ClientIP' and 'None'. Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. sessionAffinityConfig: sessionAffinityConfig contains the configurations of session affinity. + trafficDistribution: TrafficDistribution offers a way to express preferences for how traffic is + distributed to Service endpoints. Implementations can use this field as a hint, but are not + required to guarantee strict adherence. If the field is not set, the implementation will apply its + default routing strategy. If set to 'PreferClose', implementations should prioritize endpoints + that are in the same zone. type: type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. 'ClusterIP' allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is @@ -4866,6 +5192,7 @@ class ServiceSpec(K8sSpec): selector: Optional[JSONDict] = None sessionAffinity: Optional[str] = None sessionAffinityConfig: Optional[SessionAffinityConfig] = None + trafficDistribution: Optional[str] = None type: Optional[str] = None @@ -4879,7 +5206,7 @@ class ServiceStatus(K8sSpec): """ - conditions: Optional[List[gybe.k8s.v1_29.meta.v1.Condition]] = None + conditions: Optional[List[gybe.k8s.v1_33.meta.v1.Condition]] = None loadBalancer: Optional[LoadBalancerStatus] = None @@ -4913,3 +5240,23 @@ class Taint(K8sSpec): effect: str timeAdded: Optional[str] = None value: Optional[str] = None + + +@dataclass +class VolumeMountStatus(K8sSpec): + """VolumeMountStatus shows status of volume mounts. + + Attributes: + mountPath: MountPath corresponds to the original VolumeMount. + name: Name corresponds to the name of the original VolumeMount. + readOnly: ReadOnly corresponds to the original VolumeMount. + recursiveReadOnly: RecursiveReadOnly must be set to Disabled, Enabled, or unspecified (for non- + readonly mounts). An IfPossible value in the original VolumeMount must be translated to Disabled + or Enabled, depending on the mount result. + + """ + + name: str + mountPath: str + readOnly: Optional[bool] = None + recursiveReadOnly: Optional[str] = None diff --git a/gybe/k8s/v1_29/discovery/v1.py b/gybe/k8s/v1_33/discovery/v1.py similarity index 64% rename from gybe/k8s/v1_29/discovery/v1.py rename to gybe/k8s/v1_33/discovery/v1.py index 56b62ee..4b94c6b 100644 --- a/gybe/k8s/v1_29/discovery/v1.py +++ b/gybe/k8s/v1_33/discovery/v1.py @@ -5,8 +5,8 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.core.v1 -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.core.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import JSONDict, K8sResource, K8sSpec @@ -15,11 +15,11 @@ class Endpoint(K8sSpec): """Endpoint represents a single logical 'backend' implementing a service. Attributes: - addresses: addresses of this endpoint. The contents of this field are interpreted according to the - corresponding EndpointSlice addressType field. Consumers must handle different types of addresses - in the context of their own capabilities. This must contain at least one address but no more than - 100. These are all assumed to be fungible and clients may choose to only use the first element. - Refer to: https://issue.k8s.io/106267 + addresses: addresses of this endpoint. For EndpointSlices of addressType 'IPv4' or 'IPv6', the values + are IP addresses in canonical form. The syntax and semantics of other addressType values are not + defined. This must contain at least one address but no more than 100. EndpointSlices generated by + the EndpointSlice controller will always have exactly 1 address. No semantics are defined for + additional addresses beyond the first, and kube-proxy does not look at them. conditions: conditions contains information about the current status of the endpoint. deprecatedTopology: deprecatedTopology contains topology information part of the v1beta1 API. This field is deprecated, and will be removed when the v1beta1 API is removed (no sooner than @@ -44,7 +44,7 @@ class Endpoint(K8sSpec): hints: Optional[EndpointHints] = None hostname: Optional[str] = None nodeName: Optional[str] = None - targetRef: Optional[gybe.k8s.v1_29.core.v1.ObjectReference] = None + targetRef: Optional[gybe.k8s.v1_33.core.v1.ObjectReference] = None zone: Optional[str] = None @@ -53,16 +53,16 @@ class EndpointConditions(K8sSpec): """EndpointConditions represents the current condition of an endpoint. Attributes: - ready: ready indicates that this endpoint is prepared to receive traffic, according to whatever system - is managing the endpoint. A nil value indicates an unknown state. In most cases consumers should - interpret this unknown state as ready. For compatibility reasons, ready should never be 'true' for - terminating endpoints, except when the normal readiness behavior is being explicitly overridden, - for example when the associated Service has set the publishNotReadyAddresses flag. - serving: serving is identical to ready except that it is set regardless of the terminating state of - endpoints. This condition should be set to true for a ready endpoint that is terminating. If nil, - consumers should defer to the ready condition. - terminating: terminating indicates that this endpoint is terminating. A nil value indicates an unknown - state. Consumers should interpret this unknown state to mean that the endpoint is not terminating. + ready: ready indicates that this endpoint is ready to receive traffic, according to whatever system is + managing the endpoint. A nil value should be interpreted as 'true'. In general, an endpoint should + be marked ready if it is serving and not terminating, though this can be overridden in some cases, + such as when the associated Service has set the publishNotReadyAddresses flag. + serving: serving indicates that this endpoint is able to receive traffic, according to whatever system + is managing the endpoint. For endpoints backed by pods, the EndpointSlice controller will mark the + endpoint as serving if the pod's Ready condition is True. A nil value should be interpreted as + 'true'. + terminating: terminating indicates that this endpoint is terminating. A nil value should be + interpreted as 'false'. """ @@ -76,11 +76,15 @@ class EndpointHints(K8sSpec): """EndpointHints provides hints describing how an endpoint should be consumed. Attributes: - forZones: forZones indicates the zone(s) this endpoint should be consumed by to enable topology aware - routing. + forNodes: forNodes indicates the node(s) this endpoint should be consumed by when using topology aware + routing. May contain a maximum of 8 entries. This is an Alpha feature and is only used when the + PreferSameTrafficDistribution feature gate is enabled. + forZones: forZones indicates the zone(s) this endpoint should be consumed by when using topology aware + routing. May contain a maximum of 8 entries. """ + forNodes: Optional[List[ForNode]] = None forZones: Optional[List[ForZone]] = None @@ -103,8 +107,9 @@ class EndpointPort(K8sSpec): Service.ports[].name. Name must either be an empty string or pass DNS_LABEL validation: * must be no more than 63 characters long. * must consist of lower case alphanumeric characters or '-'. * must start and end with an alphanumeric character. Default is empty string. - port: port represents the port number of the endpoint. If this is not specified, ports are not - restricted and must be interpreted in the context of the specific consumer. + port: port represents the port number of the endpoint. If the EndpointSlice is derived from a + Kubernetes service, this must be set to the service's target port. EndpointSlices used for other + purposes may have a nil port. protocol: protocol represents the IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP. @@ -118,15 +123,19 @@ class EndpointPort(K8sSpec): @dataclass class EndpointSlice(K8sResource): - """EndpointSlice represents a subset of the endpoints that implement a service. For a given service there - may be multiple EndpointSlice objects, selected by labels, which must be joined to produce the full - set of endpoints. + """EndpointSlice represents a set of service endpoints. Most EndpointSlices are created by the + EndpointSlice controller to represent the Pods selected by Service objects. For a given service there + may be multiple EndpointSlice objects which must be joined to produce the full set of endpoints; you + can find all of the slices for a given service by listing EndpointSlices in the service's namespace + whose `kubernetes.io/service-name` label contains the service's name. Attributes: addressType: addressType specifies the type of address carried by this EndpointSlice. All addresses in this slice must be the same type. This field is immutable after creation. The following address types are currently supported: * IPv4: Represents an IPv4 Address. * IPv6: Represents an IPv6 - Address. * FQDN: Represents a Fully Qualified Domain Name. + Address. * FQDN: Represents a Fully Qualified Domain Name. (Deprecated) The EndpointSlice + controller only generates, and kube-proxy only processes, slices of addressType 'IPv4' and 'IPv6'. + No semantics are defined for the 'FQDN' type. apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. @@ -136,9 +145,9 @@ class EndpointSlice(K8sResource): this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. metadata: Standard object's metadata. ports: ports specifies the list of network ports exposed by each endpoint in this slice. Each port - must have a unique name. When ports is empty, it indicates that there are no defined ports. When a - port is defined with a nil port value, it indicates 'all ports'. Each slice may include a maximum - of 100 ports. + must have a unique name. Each slice may include a maximum of 100 ports. Services always have at + least 1 port, so EndpointSlices generated by the EndpointSlice controller will likewise always + have at least 1 port. EndpointSlices used for other purposes may have an empty ports list. """ @@ -146,10 +155,22 @@ class EndpointSlice(K8sResource): endpoints: List[Endpoint] apiVersion: Literal['discovery.k8s.io/v1'] = 'discovery.k8s.io/v1' kind: Literal['EndpointSlice'] = 'EndpointSlice' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None ports: Optional[List[EndpointPort]] = None +@dataclass +class ForNode(K8sSpec): + """ForNode provides information about which nodes should consume this endpoint. + + Attributes: + name: name represents the name of the node. + + """ + + name: str + + @dataclass class ForZone(K8sSpec): """ForZone provides information about which zones should consume this endpoint. diff --git a/gybe/k8s/v1_29/events/v1.py b/gybe/k8s/v1_33/events/v1.py similarity index 93% rename from gybe/k8s/v1_29/events/v1.py rename to gybe/k8s/v1_33/events/v1.py index 5ad7fb5..148a694 100644 --- a/gybe/k8s/v1_29/events/v1.py +++ b/gybe/k8s/v1_33/events/v1.py @@ -5,8 +5,8 @@ from dataclasses import dataclass from typing import Literal, Optional -import gybe.k8s.v1_29.core.v1 -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.core.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import K8sResource, K8sSpec @@ -62,12 +62,12 @@ class Event(K8sResource): deprecatedCount: Optional[int] = None deprecatedFirstTimestamp: Optional[str] = None deprecatedLastTimestamp: Optional[str] = None - deprecatedSource: Optional[gybe.k8s.v1_29.core.v1.EventSource] = None - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + deprecatedSource: Optional[gybe.k8s.v1_33.core.v1.EventSource] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None note: Optional[str] = None reason: Optional[str] = None - regarding: Optional[gybe.k8s.v1_29.core.v1.ObjectReference] = None - related: Optional[gybe.k8s.v1_29.core.v1.ObjectReference] = None + regarding: Optional[gybe.k8s.v1_33.core.v1.ObjectReference] = None + related: Optional[gybe.k8s.v1_33.core.v1.ObjectReference] = None reportingController: Optional[str] = None reportingInstance: Optional[str] = None series: Optional[EventSeries] = None diff --git a/gybe/k8s/v1_29/flowcontrol/v1.py b/gybe/k8s/v1_33/flowcontrol/v1.py similarity index 99% rename from gybe/k8s/v1_29/flowcontrol/v1.py rename to gybe/k8s/v1_33/flowcontrol/v1.py index 5a12495..85e8fdd 100644 --- a/gybe/k8s/v1_29/flowcontrol/v1.py +++ b/gybe/k8s/v1_33/flowcontrol/v1.py @@ -5,7 +5,7 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import K8sResource, K8sSpec @@ -69,7 +69,7 @@ class FlowSchema(K8sResource): apiVersion: Literal['flowcontrol.apiserver.k8s.io/v1'] = 'flowcontrol.apiserver.k8s.io/v1' kind: Literal['FlowSchema'] = 'FlowSchema' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[FlowSchemaSpec] = None status: Optional[FlowSchemaStatus] = None @@ -270,7 +270,7 @@ class PriorityLevelConfiguration(K8sResource): apiVersion: Literal['flowcontrol.apiserver.k8s.io/v1'] = 'flowcontrol.apiserver.k8s.io/v1' kind: Literal['PriorityLevelConfiguration'] = 'PriorityLevelConfiguration' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[PriorityLevelConfigurationSpec] = None status: Optional[PriorityLevelConfigurationStatus] = None diff --git a/gybe/k8s/v1_29/meta/v1.py b/gybe/k8s/v1_33/meta/v1.py similarity index 94% rename from gybe/k8s/v1_29/meta/v1.py rename to gybe/k8s/v1_33/meta/v1.py index 965a220..606bdac 100644 --- a/gybe/k8s/v1_29/meta/v1.py +++ b/gybe/k8s/v1_33/meta/v1.py @@ -128,6 +128,15 @@ class DeleteOptions(K8sResource): negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately. + ignoreStoreReadErrorWithClusterBreakingPotential: if set to true, it will trigger an unsafe deletion + of the resource in case the normal deletion flow fails with a corrupt object error. A resource is + considered corrupt if it can not be retrieved from the underlying storage successfully because of + a) its data can not be transformed e.g. decryption failure, or b) it fails to decode into an + object. NOTE: unsafe deletion ignores finalizer constraints, skips precondition checks, and + removes the object from the storage. WARNING: This may potentially break the cluster if the + workload associated with the resource being unsafe-deleted relies on normal deletion flow. Use + only if you REALLY know what you are doing. The default value is false, and the user must opt in + to enable it kind: Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. orphanDependents: Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. @@ -149,6 +158,7 @@ class DeleteOptions(K8sResource): kind: Literal['DeleteOptions'] = 'DeleteOptions' dryRun: Optional[List[str]] = None gracePeriodSeconds: Optional[int] = None + ignoreStoreReadErrorWithClusterBreakingPotential: Optional[bool] = None orphanDependents: Optional[bool] = None preconditions: Optional[Preconditions] = None propagationPolicy: Optional[str] = None @@ -430,6 +440,37 @@ class WatchEvent(K8sResource): object: JSONObj +@dataclass +class Condition(K8sSpec): + """Condition contains details for one aspect of the current state of this API Resource. + + Attributes: + lastTransitionTime: lastTransitionTime is the last time the condition transitioned from one status to + another. This should be when the underlying condition changed. If that is not known, then using + the time when the API field changed is acceptable. + message: message is a human readable message indicating details about the transition. This may be an + empty string. + observedGeneration: observedGeneration represents the .metadata.generation that the condition was set + based upon. For instance, if .metadata.generation is currently 12, but the + .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the + current state of the instance. + reason: reason contains a programmatic identifier indicating the reason for the condition's last + transition. Producers of specific condition types may define expected values and meanings for this + field, and whether the values are considered a guaranteed API. The value should be a CamelCase + string. This field may not be empty. + status: status of the condition, one of True, False, Unknown. + type: type of condition in CamelCase or in foo.example.com/CamelCase. + + """ + + type: str + status: str + lastTransitionTime: str + reason: str + message: str + observedGeneration: Optional[int] = None + + @dataclass class LabelSelector(K8sSpec): """A label selector is a label query over a set of resources. The result of matchLabels and @@ -470,34 +511,22 @@ class LabelSelectorRequirement(K8sSpec): @dataclass -class Condition(K8sSpec): - """Condition contains details for one aspect of the current state of this API Resource. +class FieldSelectorRequirement(K8sSpec): + """FieldSelectorRequirement is a selector that contains values, a key, and an operator that relates the + key and values. Attributes: - lastTransitionTime: lastTransitionTime is the last time the condition transitioned from one status to - another. This should be when the underlying condition changed. If that is not known, then using - the time when the API field changed is acceptable. - message: message is a human readable message indicating details about the transition. This may be an - empty string. - observedGeneration: observedGeneration represents the .metadata.generation that the condition was set - based upon. For instance, if .metadata.generation is currently 12, but the - .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the - current state of the instance. - reason: reason contains a programmatic identifier indicating the reason for the condition's last - transition. Producers of specific condition types may define expected values and meanings for this - field, and whether the values are considered a guaranteed API. The value should be a CamelCase - string. This field may not be empty. - status: status of the condition, one of True, False, Unknown. - type: type of condition in CamelCase or in foo.example.com/CamelCase. + key: key is the field selector key that the requirement applies to. + operator: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, + Exists, DoesNotExist. The list of operators may grow in the future. + values: values is an array of string values. If the operator is In or NotIn, the values array must be + non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. """ - type: str - status: str - lastTransitionTime: str - reason: str - message: str - observedGeneration: Optional[int] = None + key: str + operator: str + values: Optional[List[str]] = None @dataclass diff --git a/gybe/k8s/v1_29/networking/v1.py b/gybe/k8s/v1_33/networking/v1.py similarity index 82% rename from gybe/k8s/v1_29/networking/v1.py rename to gybe/k8s/v1_33/networking/v1.py index b6d9002..b8bc2c7 100644 --- a/gybe/k8s/v1_29/networking/v1.py +++ b/gybe/k8s/v1_33/networking/v1.py @@ -5,8 +5,8 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.core.v1 -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.core.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import JSONObj, K8sResource, K8sSpec @@ -52,6 +52,44 @@ class HTTPIngressRuleValue(K8sSpec): paths: List[HTTPIngressPath] +@dataclass +class IPAddress(K8sResource): + """IPAddress represents a single IP of a single IP Family. The object is designed to be used by APIs that + operate on IP addresses. The object is used by the Service core API for allocation of IP addresses. An + IP address can be represented in different formats, to guarantee the uniqueness of the IP, the name of + the object is the IP address in canonical format, four decimal digits separated by dots suppressing + leading zeros for IPv4 and the representation defined by RFC 5952 for IPv6. Valid: 192.168.1.5 or + 2001:db8::1 or 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or 2001:db8:0:0:0::1 + Attributes: + apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers + should convert recognized schemas to the latest internal value, and may reject unrecognized + values. + kind: Kind is a string value representing the REST resource this object represents. Servers may infer + this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. + metadata: Standard object's metadata. + spec: spec is the desired state of the IPAddress. + + """ + + apiVersion: Literal['networking.k8s.io/v1'] = 'networking.k8s.io/v1' + kind: Literal['IPAddress'] = 'IPAddress' + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None + spec: Optional[IPAddressSpec] = None + + +@dataclass +class IPAddressSpec(K8sSpec): + """IPAddressSpec describe the attributes in an IP Address. + + Attributes: + parentRef: ParentRef references the resource that an IPAddress is attached to. An IPAddress must + reference a parent object. + + """ + + parentRef: ParentReference + + @dataclass class Ingress(K8sResource): """Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a @@ -72,7 +110,7 @@ class Ingress(K8sResource): apiVersion: Literal['networking.k8s.io/v1'] = 'networking.k8s.io/v1' kind: Literal['Ingress'] = 'Ingress' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[IngressSpec] = None status: Optional[IngressStatus] = None @@ -90,7 +128,7 @@ class IngressBackend(K8sSpec): """ - resource: Optional[gybe.k8s.v1_29.core.v1.TypedLocalObjectReference] = None + resource: Optional[gybe.k8s.v1_33.core.v1.TypedLocalObjectReference] = None service: Optional[IngressServiceBackend] = None @@ -114,7 +152,7 @@ class IngressClass(K8sResource): apiVersion: Literal['networking.k8s.io/v1'] = 'networking.k8s.io/v1' kind: Literal['IngressClass'] = 'IngressClass' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[IngressClassSpec] = None @@ -332,7 +370,7 @@ class NetworkPolicy(K8sResource): apiVersion: Literal['networking.k8s.io/v1'] = 'networking.k8s.io/v1' kind: Literal['NetworkPolicy'] = 'NetworkPolicy' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[NetworkPolicySpec] = None @@ -379,8 +417,8 @@ class NetworkPolicyPeer(K8sSpec): """ ipBlock: Optional[JSONObj] = None - namespaceSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None - podSelector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + namespaceSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None + podSelector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None @dataclass @@ -436,12 +474,30 @@ class NetworkPolicySpec(K8sSpec): """ - podSelector: gybe.k8s.v1_29.meta.v1.LabelSelector + podSelector: gybe.k8s.v1_33.meta.v1.LabelSelector egress: Optional[List[NetworkPolicyEgressRule]] = None ingress: Optional[List[JSONObj]] = None policyTypes: Optional[List[str]] = None +@dataclass +class ParentReference(K8sSpec): + """ParentReference describes a reference to a parent object. + + Attributes: + group: Group is the group of the object being referenced. + name: Name is the name of the object being referenced. + namespace: Namespace is the namespace of the object being referenced. + resource: Resource is the resource of the object being referenced. + + """ + + resource: str + name: str + group: Optional[str] = None + namespace: Optional[str] = None + + @dataclass class ServiceBackendPort(K8sSpec): """ServiceBackendPort is the service port being referenced. @@ -455,3 +511,54 @@ class ServiceBackendPort(K8sSpec): name: Optional[str] = None number: Optional[int] = None + + +@dataclass +class ServiceCIDR(K8sResource): + """ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). + This range is used to allocate ClusterIPs to Service objects. + + Attributes: + apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers + should convert recognized schemas to the latest internal value, and may reject unrecognized + values. + kind: Kind is a string value representing the REST resource this object represents. Servers may infer + this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. + metadata: Standard object's metadata. + spec: spec is the desired state of the ServiceCIDR. + status: status represents the current state of the ServiceCIDR. + + """ + + apiVersion: Literal['networking.k8s.io/v1'] = 'networking.k8s.io/v1' + kind: Literal['ServiceCIDR'] = 'ServiceCIDR' + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None + spec: Optional[ServiceCIDRSpec] = None + status: Optional[ServiceCIDRStatus] = None + + +@dataclass +class ServiceCIDRSpec(K8sSpec): + """ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services. + + Attributes: + cidrs: CIDRs defines the IP blocks in CIDR notation (e.g. '192.168.0.0/24' or '2001:db8::/64') from + which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family. This + field is immutable. + + """ + + cidrs: Optional[List[str]] = None + + +@dataclass +class ServiceCIDRStatus(K8sSpec): + """ServiceCIDRStatus describes the current state of the ServiceCIDR. + + Attributes: + conditions: conditions holds an array of metav1.Condition that describe the state of the ServiceCIDR. + Current service state + + """ + + conditions: Optional[List[gybe.k8s.v1_33.meta.v1.Condition]] = None diff --git a/gybe/k8s/v1_29/networking/v1alpha1.py b/gybe/k8s/v1_33/networking/v1beta1.py similarity index 88% rename from gybe/k8s/v1_29/networking/v1alpha1.py rename to gybe/k8s/v1_33/networking/v1beta1.py index 31a988a..e3616f9 100644 --- a/gybe/k8s/v1_29/networking/v1alpha1.py +++ b/gybe/k8s/v1_33/networking/v1beta1.py @@ -5,7 +5,7 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import K8sResource, K8sSpec @@ -28,9 +28,9 @@ class IPAddress(K8sResource): """ - apiVersion: Literal['networking.k8s.io/v1alpha1'] = 'networking.k8s.io/v1alpha1' + apiVersion: Literal['networking.k8s.io/v1beta1'] = 'networking.k8s.io/v1beta1' kind: Literal['IPAddress'] = 'IPAddress' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[IPAddressSpec] = None @@ -44,7 +44,7 @@ class IPAddressSpec(K8sSpec): """ - parentRef: Optional[ParentReference] = None + parentRef: ParentReference @dataclass @@ -59,10 +59,10 @@ class ParentReference(K8sSpec): """ + resource: str + name: str group: Optional[str] = None - name: Optional[str] = None namespace: Optional[str] = None - resource: Optional[str] = None @dataclass @@ -82,9 +82,9 @@ class ServiceCIDR(K8sResource): """ - apiVersion: Literal['networking.k8s.io/v1alpha1'] = 'networking.k8s.io/v1alpha1' + apiVersion: Literal['networking.k8s.io/v1beta1'] = 'networking.k8s.io/v1beta1' kind: Literal['ServiceCIDR'] = 'ServiceCIDR' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[ServiceCIDRSpec] = None status: Optional[ServiceCIDRStatus] = None @@ -113,4 +113,4 @@ class ServiceCIDRStatus(K8sSpec): """ - conditions: Optional[List[gybe.k8s.v1_29.meta.v1.Condition]] = None + conditions: Optional[List[gybe.k8s.v1_33.meta.v1.Condition]] = None diff --git a/gybe/k8s/v1_29/node/v1.py b/gybe/k8s/v1_33/node/v1.py similarity index 95% rename from gybe/k8s/v1_29/node/v1.py rename to gybe/k8s/v1_33/node/v1.py index a780003..85e90a0 100644 --- a/gybe/k8s/v1_29/node/v1.py +++ b/gybe/k8s/v1_33/node/v1.py @@ -5,8 +5,8 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.core.v1 -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.core.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import JSONDict, K8sResource, K8sSpec @@ -55,7 +55,7 @@ class RuntimeClass(K8sResource): handler: str apiVersion: Literal['node.k8s.io/v1'] = 'node.k8s.io/v1' kind: Literal['RuntimeClass'] = 'RuntimeClass' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None overhead: Optional[Overhead] = None scheduling: Optional[Scheduling] = None @@ -75,4 +75,4 @@ class Scheduling(K8sSpec): """ nodeSelector: Optional[JSONDict] = None - tolerations: Optional[List[gybe.k8s.v1_29.core.v1.Toleration]] = None + tolerations: Optional[List[gybe.k8s.v1_33.core.v1.Toleration]] = None diff --git a/gybe/k8s/v1_33/pkg/version.py b/gybe/k8s/v1_33/pkg/version.py new file mode 100644 index 0000000..7e76e43 --- /dev/null +++ b/gybe/k8s/v1_33/pkg/version.py @@ -0,0 +1,44 @@ +"""Models generated from Kubernetes OpenAPI Spec.""" + +from __future__ import annotations + +from dataclasses import dataclass +from typing import Optional + +from gybe.k8s.types import K8sSpec + + +@dataclass +class Info(K8sSpec): + """Info contains versioning information. how we'll want to distribute that information. + + Attributes: + buildDate: ... + compiler: ... + emulationMajor: EmulationMajor is the major version of the emulation version + emulationMinor: EmulationMinor is the minor version of the emulation version + gitCommit: ... + gitTreeState: ... + gitVersion: ... + goVersion: ... + major: Major is the major version of the binary version + minCompatibilityMajor: MinCompatibilityMajor is the major version of the minimum compatibility version + minCompatibilityMinor: MinCompatibilityMinor is the minor version of the minimum compatibility version + minor: Minor is the minor version of the binary version + platform: ... + + """ + + major: str + minor: str + gitVersion: str + gitCommit: str + gitTreeState: str + buildDate: str + goVersion: str + compiler: str + platform: str + emulationMajor: Optional[str] = None + emulationMinor: Optional[str] = None + minCompatibilityMajor: Optional[str] = None + minCompatibilityMinor: Optional[str] = None diff --git a/gybe/k8s/v1_29/policy/v1.py b/gybe/k8s/v1_33/policy/v1.py similarity index 93% rename from gybe/k8s/v1_29/policy/v1.py rename to gybe/k8s/v1_33/policy/v1.py index 19d2f15..69db0ac 100644 --- a/gybe/k8s/v1_29/policy/v1.py +++ b/gybe/k8s/v1_33/policy/v1.py @@ -5,7 +5,7 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import JSONDict, K8sResource, K8sSpec @@ -28,8 +28,8 @@ class Eviction(K8sResource): apiVersion: Literal['policy/v1'] = 'policy/v1' kind: Literal['Eviction'] = 'Eviction' - deleteOptions: Optional[gybe.k8s.v1_29.meta.v1.DeleteOptions] = None - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + deleteOptions: Optional[gybe.k8s.v1_33.meta.v1.DeleteOptions] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None @dataclass @@ -50,7 +50,7 @@ class PodDisruptionBudget(K8sResource): apiVersion: Literal['policy/v1'] = 'policy/v1' kind: Literal['PodDisruptionBudget'] = 'PodDisruptionBudget' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None spec: Optional[PodDisruptionBudgetSpec] = None status: Optional[PodDisruptionBudgetStatus] = None @@ -82,14 +82,13 @@ class PodDisruptionBudgetSpec(K8sSpec): disrupted application might not get a chance to become healthy. Healthy pods will be subject to the PDB for eviction. Additional policies may be added in the future. Clients making eviction decisions should disallow eviction of unhealthy pods if they encounter an unrecognized policy in - this field. This field is beta-level. The eviction API uses this field when the feature gate - PDBUnhealthyPodEvictionPolicy is enabled (enabled by default). + this field. """ maxUnavailable: Optional[str] = None minAvailable: Optional[str] = None - selector: Optional[gybe.k8s.v1_29.meta.v1.LabelSelector] = None + selector: Optional[gybe.k8s.v1_33.meta.v1.LabelSelector] = None unhealthyPodEvictionPolicy: Optional[str] = None @@ -132,6 +131,6 @@ class PodDisruptionBudgetStatus(K8sSpec): currentHealthy: int desiredHealthy: int expectedPods: int - conditions: Optional[List[gybe.k8s.v1_29.meta.v1.Condition]] = None + conditions: Optional[List[gybe.k8s.v1_33.meta.v1.Condition]] = None disruptedPods: Optional[JSONDict] = None observedGeneration: Optional[int] = None diff --git a/gybe/k8s/v1_29/rbac/v1.py b/gybe/k8s/v1_33/rbac/v1.py similarity index 96% rename from gybe/k8s/v1_29/rbac/v1.py rename to gybe/k8s/v1_33/rbac/v1.py index a4e5d09..4b9d6d3 100644 --- a/gybe/k8s/v1_29/rbac/v1.py +++ b/gybe/k8s/v1_33/rbac/v1.py @@ -5,7 +5,7 @@ from dataclasses import dataclass from typing import List, Literal, Optional -import gybe.k8s.v1_29.meta.v1 +import gybe.k8s.v1_33.meta.v1 from gybe.k8s.types import K8sResource, K8sSpec @@ -19,7 +19,7 @@ class AggregationRule(K8sSpec): """ - clusterRoleSelectors: Optional[List[gybe.k8s.v1_29.meta.v1.LabelSelector]] = None + clusterRoleSelectors: Optional[List[gybe.k8s.v1_33.meta.v1.LabelSelector]] = None @dataclass @@ -44,7 +44,7 @@ class ClusterRole(K8sResource): apiVersion: Literal['rbac.authorization.k8s.io/v1'] = 'rbac.authorization.k8s.io/v1' kind: Literal['ClusterRole'] = 'ClusterRole' aggregationRule: Optional[AggregationRule] = None - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None rules: Optional[List[PolicyRule]] = None @@ -69,7 +69,7 @@ class ClusterRoleBinding(K8sResource): roleRef: RoleRef apiVersion: Literal['rbac.authorization.k8s.io/v1'] = 'rbac.authorization.k8s.io/v1' kind: Literal['ClusterRoleBinding'] = 'ClusterRoleBinding' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None subjects: Optional[List[Subject]] = None @@ -120,7 +120,7 @@ class Role(K8sResource): apiVersion: Literal['rbac.authorization.k8s.io/v1'] = 'rbac.authorization.k8s.io/v1' kind: Literal['Role'] = 'Role' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None rules: Optional[List[PolicyRule]] = None @@ -148,7 +148,7 @@ class RoleBinding(K8sResource): roleRef: RoleRef apiVersion: Literal['rbac.authorization.k8s.io/v1'] = 'rbac.authorization.k8s.io/v1' kind: Literal['RoleBinding'] = 'RoleBinding' - metadata: Optional[gybe.k8s.v1_29.meta.v1.ObjectMeta] = None + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None subjects: Optional[List[Subject]] = None diff --git a/gybe/k8s/v1_33/resource/v1alpha3.py b/gybe/k8s/v1_33/resource/v1alpha3.py new file mode 100644 index 0000000..1848711 --- /dev/null +++ b/gybe/k8s/v1_33/resource/v1alpha3.py @@ -0,0 +1,925 @@ +"""Models generated from Kubernetes OpenAPI Spec.""" + +from __future__ import annotations + +from dataclasses import dataclass +from typing import List, Literal, Optional + +import gybe.k8s.v1_33.api.resource +import gybe.k8s.v1_33.core.v1 +import gybe.k8s.v1_33.meta.v1 +from gybe.k8s.types import JSONDict, JSONObj, K8sResource, K8sSpec + + +@dataclass +class AllocatedDeviceStatus(K8sSpec): + """AllocatedDeviceStatus contains the status of an allocated device, if the driver chooses to report it. + This may include driver-specific information. + + Attributes: + conditions: Conditions contains the latest observation of the device's state. If the device has been + configured according to the class and claim config references, the `Ready` condition should be + True. Must not contain more than 8 entries. + data: Data contains arbitrary driver-specific data. The length of the raw data must be smaller or + equal to 10 Ki. + device: Device references one device instance via its name in the driver's resource pool. It must be a + DNS label. + driver: Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process + the allocation once the claim is needed on a node. Must be a DNS subdomain and should end with a + DNS domain owned by the vendor of the driver. + networkData: NetworkData contains network-related information specific to the device. + pool: This name together with the driver name and the device name field identify which device was + allocated (`//`). Must not be longer than 253 characters and + may contain one or more DNS sub-domains separated by slashes. + + """ + + driver: str + pool: str + device: str + conditions: Optional[List[gybe.k8s.v1_33.meta.v1.Condition]] = None + data: Optional[JSONObj] = None + networkData: Optional[NetworkDeviceData] = None + + +@dataclass +class AllocationResult(K8sSpec): + """AllocationResult contains attributes of an allocated resource. + + Attributes: + devices: Devices is the result of allocating devices. + nodeSelector: NodeSelector defines where the allocated resources are available. If unset, they are + available everywhere. + + """ + + devices: Optional[DeviceAllocationResult] = None + nodeSelector: Optional[gybe.k8s.v1_33.core.v1.NodeSelector] = None + + +@dataclass +class BasicDevice(K8sSpec): + """BasicDevice defines one device instance. + + Attributes: + allNodes: AllNodes indicates that all nodes have access to the device. Must only be set if + Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can + be set. + attributes: Attributes defines the set of attributes for this device. The name of each attribute must + be unique in that set. The maximum number of attributes and capacities combined is 32. + capacity: Capacity defines the set of capacities for this device. The name of each capacity must be + unique in that set. The maximum number of attributes and capacities combined is 32. + consumesCounters: ConsumesCounters defines a list of references to sharedCounters and the set of + counters that the device will consume from those counter sets. There can only be a single entry + per counterSet. The total number of device counter consumption entries must be <= 32. In + addition, the total number in the entire ResourceSlice must be <= 1024 (for example, 64 devices + with 16 counters each). + nodeName: NodeName identifies the node where the device is available. Must only be set if + Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can + be set. + nodeSelector: NodeSelector defines the nodes where the device is available. Must only be set if + Spec.PerDeviceNodeSelection is set to true. At most one of NodeName, NodeSelector and AllNodes can + be set. + taints: If specified, these are the driver-defined taints. The maximum number of taints is 4. This + is an alpha field and requires enabling the DRADeviceTaints feature gate. + + """ + + allNodes: Optional[bool] = None + attributes: Optional[JSONDict] = None + capacity: Optional[JSONDict] = None + consumesCounters: Optional[List[DeviceCounterConsumption]] = None + nodeName: Optional[str] = None + nodeSelector: Optional[gybe.k8s.v1_33.core.v1.NodeSelector] = None + taints: Optional[List[DeviceTaint]] = None + + +@dataclass +class CELDeviceSelector(K8sSpec): + """CELDeviceSelector contains a CEL expression for selecting a device. + + Attributes: + expression: Expression is a CEL expression which evaluates a single device. It must evaluate to true + when the device under consideration satisfies the desired criteria, and false when it does not. + Any other result is an error and causes allocation of devices to abort. The expression's input is + an object named 'device', which carries the following properties: - driver (string): the name of + the driver which defines this device. - attributes (map[string]object): the device's attributes, + grouped by prefix (e.g. device.attributes['dra.example.com'] evaluates to an object with all + of the attributes which were prefixed by 'dra.example.com'. - capacity (map[string]object): the + device's capacities, grouped by prefix. Example: Consider a device with driver='dra.example.com', + which exposes two attributes named 'model' and 'ext.example.com/family' and which exposes one + capacity named 'modules'. This input to this expression would have the following fields: + device.driver device.attributes['dra.example.com'].model + device.attributes['ext.example.com'].family device.capacity['dra.example.com'].modules The + device.driver field can be used to check for a specific driver, either as a high-level + precondition (i.e. you only want to consider devices from this driver) or as part of a multi- + clause expression that is meant to consider devices from different drivers. The value type of + each attribute is defined by the device definition, and users who write these expressions must + consult the documentation for their specific drivers. The value type of each capacity is Quantity. + If an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty + map will be returned. Any reference to an unknown field will cause an evaluation error and + allocation to abort. A robust expression should check for the existence of attributes before + referencing them. For ease of use, the cel.bind() function is enabled, and can be used to + simplify expressions that access multiple attributes with the same domain. For example: + cel.bind(dra, device.attributes['dra.example.com'], dra.someBool && dra.anotherBool) The length + of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited + based on the estimated number of logical steps. + + """ + + expression: str + + +@dataclass +class Counter(K8sSpec): + """Counter describes a quantity associated with a device. + + Attributes: + value: Value defines how much of a certain device counter is available. + + """ + + value: gybe.k8s.v1_33.api.resource.Quantity + + +@dataclass +class CounterSet(K8sSpec): + """CounterSet defines a named set of counters that are available to be used by devices defined in the + ResourceSlice. The counters are not allocatable by themselves, but can be referenced by devices. When + a device is allocated, the portion of counters it uses will no longer be available for use by other + devices. + + Attributes: + counters: Counters defines the counters that will be consumed by the device. The name of each counter + must be unique in that set and must be a DNS label. To ensure this uniqueness, capacities defined + by the vendor must be listed without the driver name as domain prefix in their name. All others + must be listed with their domain prefix. The maximum number of counters is 32. + name: CounterSet is the name of the set from which the counters defined will be consumed. + + """ + + name: str + counters: JSONDict + + +@dataclass +class Device(K8sSpec): + """Device represents one individual hardware instance that can be selected based on its attributes. + Besides the name, exactly one field must be set. + + Attributes: + basic: Basic defines one device instance. + name: Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS + label. + + """ + + name: str + basic: Optional[BasicDevice] = None + + +@dataclass +class DeviceAllocationConfiguration(K8sSpec): + """DeviceAllocationConfiguration gets embedded in an AllocationResult. + + Attributes: + opaque: Opaque provides driver-specific configuration parameters. + requests: Requests lists the names of requests where the configuration applies. If empty, its applies + to all requests. References to subrequests must include the name of the main request and may + include the subrequest using the format
[/]. If just the main request is + given, the configuration applies to all subrequests. + source: Source records whether the configuration comes from a class and thus is not something that a + normal user would have been able to set or from a claim. + + """ + + source: str + opaque: Optional[OpaqueDeviceConfiguration] = None + requests: Optional[List[str]] = None + + +@dataclass +class DeviceAllocationResult(K8sSpec): + """DeviceAllocationResult is the result of allocating devices. + + Attributes: + config: This field is a combination of all the claim and class configuration parameters. Drivers can + distinguish between those based on a flag. This includes configuration parameters for drivers + which have no allocated devices in the result because it is up to the drivers which configuration + parameters they support. They can silently ignore unknown configuration parameters. + results: Results lists all allocated devices. + + """ + + config: Optional[List[DeviceAllocationConfiguration]] = None + results: Optional[List[DeviceRequestAllocationResult]] = None + + +@dataclass +class DeviceAttribute(K8sSpec): + """DeviceAttribute must have exactly one field set. + + Attributes: + bool: BoolValue is a true/false value. + int: IntValue is a number. + string: StringValue is a string. Must not be longer than 64 characters. + version: VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer + than 64 characters. + + """ + + bool: Optional[bool] = None + int: Optional[int] = None + string: Optional[str] = None + version: Optional[str] = None + + +@dataclass +class DeviceClaim(K8sSpec): + """DeviceClaim defines how to request devices with a ResourceClaim. + + Attributes: + config: This field holds configuration for multiple potential drivers which could satisfy requests in + this claim. It is ignored while allocating the claim. + constraints: These constraints must be satisfied by the set of devices that get allocated for the + claim. + requests: Requests represent individual requests for distinct devices which must all be satisfied. If + empty, nothing needs to be allocated. + + """ + + config: Optional[List[DeviceClaimConfiguration]] = None + constraints: Optional[List[DeviceConstraint]] = None + requests: Optional[List[DeviceRequest]] = None + + +@dataclass +class DeviceClaimConfiguration(K8sSpec): + """DeviceClaimConfiguration is used for configuration parameters in DeviceClaim. + + Attributes: + opaque: Opaque provides driver-specific configuration parameters. + requests: Requests lists the names of requests where the configuration applies. If empty, it applies + to all requests. References to subrequests must include the name of the main request and may + include the subrequest using the format
[/]. If just the main request is + given, the configuration applies to all subrequests. + + """ + + opaque: Optional[OpaqueDeviceConfiguration] = None + requests: Optional[List[str]] = None + + +@dataclass +class DeviceClass(K8sResource): + """DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. + It can be referenced in the device requests of a claim to apply these presets. Cluster scoped. This + is an alpha type and requires enabling the DynamicResourceAllocation feature gate. + + Attributes: + apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers + should convert recognized schemas to the latest internal value, and may reject unrecognized + values. + kind: Kind is a string value representing the REST resource this object represents. Servers may infer + this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. + metadata: Standard object metadata + spec: Spec defines what can be allocated and how to configure it. This is mutable. Consumers have to + be prepared for classes changing at any time, either because they get updated or replaced. Claim + allocations are done once based on whatever was set in classes at the time of allocation. + Changing the spec automatically increments the metadata.generation number. + + """ + + spec: DeviceClassSpec + apiVersion: Literal['resource.k8s.io/v1alpha3'] = 'resource.k8s.io/v1alpha3' + kind: Literal['DeviceClass'] = 'DeviceClass' + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None + + +@dataclass +class DeviceClassConfiguration(K8sSpec): + """DeviceClassConfiguration is used in DeviceClass. + + Attributes: + opaque: Opaque provides driver-specific configuration parameters. + + """ + + opaque: Optional[OpaqueDeviceConfiguration] = None + + +@dataclass +class DeviceClassSpec(K8sSpec): + """DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it. + + Attributes: + config: Config defines configuration parameters that apply to each device that is claimed via this + class. Some classses may potentially be satisfied by multiple drivers, so each instance of a + vendor configuration applies to exactly one driver. They are passed to the driver, but are not + considered while allocating the claim. + selectors: Each selector must be satisfied by a device which is claimed via this class. + + """ + + config: Optional[List[DeviceClassConfiguration]] = None + selectors: Optional[List[DeviceSelector]] = None + + +@dataclass +class DeviceConstraint(K8sSpec): + """DeviceConstraint must have exactly one field set besides Requests. + + Attributes: + matchAttribute: MatchAttribute requires that all devices in question have this attribute and that its + type and value are the same across those devices. For example, if you specified + 'dra.example.com/numa' (a hypothetical example!), then only devices in the same NUMA node will be + chosen. A device which does not have that attribute will not be chosen. All devices should use a + value of the same type for this attribute because that is part of its specification, but if one + device doesn't, then it also will not be chosen. Must include the domain qualifier. + requests: Requests is a list of the one or more requests in this claim which must co-satisfy this + constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy + the constraint. If this is not specified, this constraint applies to all requests in this claim. + References to subrequests must include the name of the main request and may include the subrequest + using the format
[/]. If just the main request is given, the constraint + applies to all subrequests. + + """ + + matchAttribute: Optional[str] = None + requests: Optional[List[str]] = None + + +@dataclass +class DeviceCounterConsumption(K8sSpec): + """DeviceCounterConsumption defines a set of counters that a device will consume from a CounterSet. + + Attributes: + counterSet: CounterSet defines the set from which the counters defined will be consumed. + counters: Counters defines the Counter that will be consumed by the device. The maximum number + counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 + (for example, 64 devices with 16 counters each). + + """ + + counterSet: str + counters: JSONDict + + +@dataclass +class DeviceRequest(K8sSpec): + """DeviceRequest is a request for devices required for a claim. This is typically a request for a single + resource like a device, but can also ask for several identical devices. + + Attributes: + adminAccess: AdminAccess indicates that this is a claim for administrative access to the device(s). + Claims with AdminAccess are expected to be used for monitoring or other management services for a + device. They ignore all ordinary claims to the device with respect to access modes and any + resource allocations. This field can only be set when deviceClassName is set and no subrequests + are specified in the firstAvailable list. This is an alpha field and requires enabling the + DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, + otherwise it is enabled. + allocationMode: AllocationMode and its related fields define how devices are allocated to satisfy this + request. Supported values are: - ExactCount: This request is for a specific number of devices. + This is the default. The exact number is provided in the count field. - All: This request is + for all of the matching devices in a pool. At least one device must exist on the node for the + allocation to succeed. Allocation will fail if some devices are already allocated, unless + adminAccess is requested. If AllocationMode is not specified, the default mode is ExactCount. If + the mode is ExactCount and count is not specified, the default count is one. Any other requests + must specify this field. This field can only be set when deviceClassName is set and no + subrequests are specified in the firstAvailable list. More modes may get added in the future. + Clients must refuse to handle requests with unknown modes. + count: Count is used only when the count mode is 'ExactCount'. Must be greater than zero. If + AllocationMode is ExactCount and this field is not specified, the default is one. This field can + only be set when deviceClassName is set and no subrequests are specified in the firstAvailable + list. + deviceClassName: DeviceClassName references a specific DeviceClass, which can define additional + configuration and selectors to be inherited by this request. A class is required if no + subrequests are specified in the firstAvailable list and no class can be set if subrequests are + specified in the firstAvailable list. Which classes are available depends on the cluster. + Administrators may use this to restrict which devices may get requested by only installing classes + with selectors for permitted devices. If users are free to request anything without restrictions, + then administrators can create an empty DeviceClass for users to reference. + firstAvailable: FirstAvailable contains subrequests, of which exactly one will be satisfied by the + scheduler to satisfy this request. It tries to satisfy them in the order in which they are listed + here. So if there are two entries in the list, the scheduler will only check the second one if it + determines that the first one cannot be used. This field may only be set in the entries of + DeviceClaim.Requests. DRA does not yet implement scoring, so the scheduler will select the first + set of devices that satisfies all the requests in the claim. And if the requirements can be + satisfied on more than one node, other scheduling features will determine which node is chosen. + This means that the set of devices allocated to a claim might not be the optimal set available to + the cluster. Scoring will be implemented later. + name: Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and + in a constraint of the claim. Must be a DNS label. + selectors: Selectors define criteria which must be satisfied by a specific device in order for that + device to be considered for this request. All selectors must be satisfied for a device to be + considered. This field can only be set when deviceClassName is set and no subrequests are + specified in the firstAvailable list. + tolerations: If specified, the request's tolerations. Tolerations for NoSchedule are required to + allocate a device which has a taint with that effect. The same applies to NoExecute. In addition, + should any of the allocated devices get tainted with NoExecute after allocation and that effect is + not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler + will not let new pods reserve the claim while it has these tainted devices. Once all pods are + evicted, the claim will get deallocated. The maximum number of tolerations is 16. This field can + only be set when deviceClassName is set and no subrequests are specified in the firstAvailable + list. This is an alpha field and requires enabling the DRADeviceTaints feature gate. + + """ + + name: str + adminAccess: Optional[bool] = None + allocationMode: Optional[str] = None + count: Optional[int] = None + deviceClassName: Optional[str] = None + firstAvailable: Optional[List[DeviceSubRequest]] = None + selectors: Optional[List[DeviceSelector]] = None + tolerations: Optional[List[DeviceToleration]] = None + + +@dataclass +class DeviceRequestAllocationResult(K8sSpec): + """DeviceRequestAllocationResult contains the allocation result for one request. + + Attributes: + adminAccess: AdminAccess indicates that this device was allocated for administrative access. See the + corresponding request field for a definition of mode. This is an alpha field and requires + enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set + to false, otherwise it is enabled. + device: Device references one device instance via its name in the driver's resource pool. It must be a + DNS label. + driver: Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process + the allocation once the claim is needed on a node. Must be a DNS subdomain and should end with a + DNS domain owned by the vendor of the driver. + pool: This name together with the driver name and the device name field identify which device was + allocated (`//`). Must not be longer than 253 characters and + may contain one or more DNS sub-domains separated by slashes. + request: Request is the name of the request in the claim which caused this device to be allocated. If + it references a subrequest in the firstAvailable list on a DeviceRequest, this field must include + both the name of the main request and the subrequest using the format
/. + Multiple devices may have been allocated per request. + tolerations: A copy of all tolerations specified in the request at the time when the device got + allocated. The maximum number of tolerations is 16. This is an alpha field and requires enabling + the DRADeviceTaints feature gate. + + """ + + request: str + driver: str + pool: str + device: str + adminAccess: Optional[bool] = None + tolerations: Optional[List[DeviceToleration]] = None + + +@dataclass +class DeviceSelector(K8sSpec): + """DeviceSelector must have exactly one field set. + + Attributes: + cel: CEL contains a CEL expression for selecting a device. + + """ + + cel: Optional[CELDeviceSelector] = None + + +@dataclass +class DeviceSubRequest(K8sSpec): + """DeviceSubRequest describes a request for device provided in the + claim.spec.devices.requests[].firstAvailable array. Each is typically a request for a single resource + like a device, but can also ask for several identical devices. DeviceSubRequest is similar to + Request, but doesn't expose the AdminAccess or FirstAvailable fields, as those can only be set on the + top-level request. AdminAccess is not supported for requests with a prioritized list, and recursive + FirstAvailable fields are not supported. + + Attributes: + allocationMode: AllocationMode and its related fields define how devices are allocated to satisfy this + request. Supported values are: - ExactCount: This request is for a specific number of devices. + This is the default. The exact number is provided in the count field. - All: This request is + for all of the matching devices in a pool. Allocation will fail if some devices are already + allocated, unless adminAccess is requested. If AllocationMode is not specified, the default + mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is + one. Any other requests must specify this field. More modes may get added in the future. Clients + must refuse to handle requests with unknown modes. + count: Count is used only when the count mode is 'ExactCount'. Must be greater than zero. If + AllocationMode is ExactCount and this field is not specified, the default is one. + deviceClassName: DeviceClassName references a specific DeviceClass, which can define additional + configuration and selectors to be inherited by this subrequest. A class is required. Which + classes are available depends on the cluster. Administrators may use this to restrict which + devices may get requested by only installing classes with selectors for permitted devices. If + users are free to request anything without restrictions, then administrators can create an empty + DeviceClass for users to reference. + name: Name can be used to reference this subrequest in the list of constraints or the list of + configurations for the claim. References must use the format
/. Must be + a DNS label. + selectors: Selectors define criteria which must be satisfied by a specific device in order for that + device to be considered for this request. All selectors must be satisfied for a device to be + considered. + tolerations: If specified, the request's tolerations. Tolerations for NoSchedule are required to + allocate a device which has a taint with that effect. The same applies to NoExecute. In addition, + should any of the allocated devices get tainted with NoExecute after allocation and that effect is + not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler + will not let new pods reserve the claim while it has these tainted devices. Once all pods are + evicted, the claim will get deallocated. The maximum number of tolerations is 16. This is an + alpha field and requires enabling the DRADeviceTaints feature gate. + + """ + + name: str + deviceClassName: str + allocationMode: Optional[str] = None + count: Optional[int] = None + selectors: Optional[List[DeviceSelector]] = None + tolerations: Optional[List[DeviceToleration]] = None + + +@dataclass +class DeviceTaint(K8sSpec): + """The device this taint is attached to has the 'effect' on any claim which does not tolerate the taint + and, through the claim, to pods using the claim. + + Attributes: + effect: The effect of the taint on claims that do not tolerate the taint and through such claims on + the pods using them. Valid effects are NoSchedule and NoExecute. PreferNoSchedule as used for + nodes is not valid here. + key: The taint key to be applied to a device. Must be a label name. + timeAdded: TimeAdded represents the time at which the taint was added. Added automatically during + create or update if not set. + value: The taint value corresponding to the taint key. Must be a label value. + + """ + + key: str + effect: str + timeAdded: Optional[str] = None + value: Optional[str] = None + + +@dataclass +class DeviceTaintRule(K8sResource): + """DeviceTaintRule adds one taint to all devices which match the selector. This has the same effect as if + the taint was specified directly in the ResourceSlice by the DRA driver. + + Attributes: + apiVersion: APIVersion defines the versioned schema of this representation of an object. Servers + should convert recognized schemas to the latest internal value, and may reject unrecognized + values. + kind: Kind is a string value representing the REST resource this object represents. Servers may infer + this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. + metadata: Standard object metadata + spec: Spec specifies the selector and one taint. Changing the spec automatically increments the + metadata.generation number. + + """ + + spec: DeviceTaintRuleSpec + apiVersion: Literal['resource.k8s.io/v1alpha3'] = 'resource.k8s.io/v1alpha3' + kind: Literal['DeviceTaintRule'] = 'DeviceTaintRule' + metadata: Optional[gybe.k8s.v1_33.meta.v1.ObjectMeta] = None + + +@dataclass +class DeviceTaintRuleSpec(K8sSpec): + """DeviceTaintRuleSpec specifies the selector and one taint. + + Attributes: + deviceSelector: DeviceSelector defines which device(s) the taint is applied to. All selector criteria + must be satified for a device to match. The empty selector matches all devices. Without a + selector, no devices are matches. + taint: The taint that gets applied to matching devices. + + """ + + taint: DeviceTaint + deviceSelector: Optional[DeviceTaintSelector] = None + + +@dataclass +class DeviceTaintSelector(K8sSpec): + """DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to. The empty selector matches + all devices. Without a selector, no devices are matched. + + Attributes: + device: If device is set, only devices with that name are selected. This field corresponds to + slice.spec.devices[].name. Setting also driver and pool may be required to avoid ambiguity, but + is not required. + deviceClassName: If DeviceClassName is set, the selectors defined there must be satisfied by a device + to be selected. This field corresponds to class.metadata.name. + driver: If driver is set, only devices from that driver are selected. This fields corresponds to + slice.spec.driver. + pool: If pool is set, only devices in that pool are selected. Also setting the driver name may be + useful to avoid ambiguity when different drivers use the same pool name, but this is not required + because selecting pools from different drivers may also be useful, for example when drivers with + node-local devices use the node name as their pool name. + selectors: Selectors contains the same selection criteria as a ResourceClaim. Currently, CEL + expressions are supported. All of these selectors must be satisfied. + + """ + + device: Optional[str] = None + deviceClassName: Optional[str] = None + driver: Optional[str] = None + pool: Optional[str] = None + selectors: Optional[List[DeviceSelector]] = None + + +@dataclass +class DeviceToleration(K8sSpec): + """The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches the triple + using the matching operator . + + Attributes: + effect: Effect indicates the taint effect to match. Empty means match all taint effects. When + specified, allowed values are NoSchedule and NoExecute. + key: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key + is empty, operator must be Exists; this combination means to match all values and all keys. Must + be a label name. + operator: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. + Defaults to Equal. Exists is equivalent to wildcard for value, so that a ResourceClaim can + tolerate all taints of a particular category. + tolerationSeconds: TolerationSeconds represents the period of time the toleration (which must be of + effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, + which means tolerate the taint forever (do not evict). Zero and negative values will be treated as + 0 (evict immediately) by the system. If larger than zero, the time when the pod needs to be + evicted is calculated as