Merge pull request #54463 from saad-ali/volumeAttachmentAPI

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Introduce new `VolumeAttachment` API Object **What this PR does / why we need it**: Introduce a new `VolumeAttachment` API Object. This object will be used by the CSI volume plugin to enable external attachers (see design [here](https://github.com/kubernetes/community/pull/1258). In the future, existing volume plugins can be refactored to use this object as well. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: Part of issue https://github.com/kubernetes/features/issues/178 **Special notes for your reviewer**: None **Release note**: ```release-note NONE ``` Kubernetes-commit: ebe8ea73fd1a961779242dfbb629befa153e96fc
2026-04-12 00:00:26 +08:00 · 2017-11-14 22:05:27 -08:00
parent e0bc67b5c7 4bdc2d13b0
commit 5b4ab70a3f
289 changed files with 12733 additions and 7338 deletions
@@ -21,6 +21,8 @@ syntax = 'proto2';

 package k8s.io.api.admissionregistration.v1alpha1;

+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.proto";
 import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
 import "k8s.io/apimachinery/pkg/runtime/generated.proto";
 import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
@@ -29,72 +31,6 @@ import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
 // Package-wide variables from generator "generated".
 option go_package = "v1alpha1";

-// AdmissionHookClientConfig contains the information to make a TLS
-// connection with the webhook
-message AdmissionHookClientConfig {
-  // Service is a reference to the service for this webhook. If there is only
-  // one port open for the service, that port will be used. If there are multiple
-  // ports open, port 443 will be used if it is open, otherwise it is an error.
-  // Required
-  optional ServiceReference service = 1;
-
-  // URLPath is an optional field that specifies the URL path to use when posting the AdmissionReview object.
-  optional string urlPath = 3;
-
-  // CABundle is a PEM encoded CA bundle which will be used to validate webhook's server certificate.
-  // Required
-  optional bytes caBundle = 2;
-}
-
-// ExternalAdmissionHook describes an external admission webhook and the
-// resources and operations it applies to.
-message ExternalAdmissionHook {
-  // The name of the external admission webhook.
-  // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
-  // "imagepolicy" is the name of the webhook, and kubernetes.io is the name
-  // of the organization.
-  // Required.
-  optional string name = 1;
-
-  // ClientConfig defines how to communicate with the hook.
-  // Required
-  optional AdmissionHookClientConfig clientConfig = 2;
-
-  // Rules describes what operations on what resources/subresources the webhook cares about.
-  // The webhook cares about an operation if it matches _any_ Rule.
-  repeated RuleWithOperations rules = 3;
-
-  // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
-  // allowed values are Ignore or Fail. Defaults to Ignore.
-  // +optional
-  optional string failurePolicy = 4;
-}
-
-// ExternalAdmissionHookConfiguration describes the configuration of initializers.
-message ExternalAdmissionHookConfiguration {
-  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
-
-  // ExternalAdmissionHooks is a list of external admission webhooks and the
-  // affected resources and operations.
-  // +optional
-  // +patchMergeKey=name
-  // +patchStrategy=merge
-  repeated ExternalAdmissionHook externalAdmissionHooks = 2;
-}
-
-// ExternalAdmissionHookConfigurationList is a list of ExternalAdmissionHookConfiguration.
-message ExternalAdmissionHookConfigurationList {
-  // Standard list metadata.
-  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
-  // +optional
-  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
-
-  // List of ExternalAdmissionHookConfiguration.
-  repeated ExternalAdmissionHookConfiguration items = 2;
-}
-
 // Initializer describes the name and the failure policy of an initializer, and
 // what resources it applies to.
 message Initializer {
@@ -141,6 +77,30 @@ message InitializerConfigurationList {
  repeated InitializerConfiguration items = 2;
 }

+// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
+message MutatingWebhookConfiguration {
+  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Webhooks is a list of webhooks and the affected resources and operations.
+  // +optional
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  repeated Webhook Webhooks = 2;
+}
+
+// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.
+message MutatingWebhookConfigurationList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of MutatingWebhookConfiguration.
+  repeated MutatingWebhookConfiguration items = 2;
+}
+
 // Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
 // to make sure that all the tuple expansions are valid.
 message Rule {
@@ -188,12 +148,160 @@ message RuleWithOperations {

 // ServiceReference holds a reference to Service.legacy.k8s.io
 message ServiceReference {
-  // Namespace is the namespace of the service
+  // `namespace` is the namespace of the service.
  // Required
  optional string namespace = 1;

-  // Name is the name of the service
+  // `name` is the name of the service.
  // Required
  optional string name = 2;
+
+  // `path` is an optional URL path which will be sent in any request to
+  // this service.
+  // +optional
+  optional string path = 3;
+}
+
+// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
+message ValidatingWebhookConfiguration {
+  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  // Webhooks is a list of webhooks and the affected resources and operations.
+  // +optional
+  // +patchMergeKey=name
+  // +patchStrategy=merge
+  repeated Webhook Webhooks = 2;
+}
+
+// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.
+message ValidatingWebhookConfigurationList {
+  // Standard list metadata.
+  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  // List of ValidatingWebhookConfiguration.
+  repeated ValidatingWebhookConfiguration items = 2;
+}
+
+// Webhook describes an admission webhook and the resources and operations it applies to.
+message Webhook {
+  // The name of the admission webhook.
+  // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
+  // "imagepolicy" is the name of the webhook, and kubernetes.io is the name
+  // of the organization.
+  // Required.
+  optional string name = 1;
+
+  // ClientConfig defines how to communicate with the hook.
+  // Required
+  optional WebhookClientConfig clientConfig = 2;
+
+  // Rules describes what operations on what resources/subresources the webhook cares about.
+  // The webhook cares about an operation if it matches _any_ Rule.
+  repeated RuleWithOperations rules = 3;
+
+  // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
+  // allowed values are Ignore or Fail. Defaults to Ignore.
+  // +optional
+  optional string failurePolicy = 4;
+
+  // NamespaceSelector decides whether to run the webhook on an object based
+  // on whether the namespace for that object matches the selector. If the
+  // object itself is a namespace, the matching is performed on
+  // object.metadata.labels. If the object is other cluster scoped resource,
+  // it is not subjected to the webhook.
+  // 
+  // For example, to run the webhook on any objects whose namespace is not
+  // associated with "runlevel" of "0" or "1";  you will set the selector as
+  // follows:
+  // "namespaceSelector": {
+  //   "matchExpressions": [
+  //     {
+  //       "key": "runlevel",
+  //       "operator": "NotIn",
+  //       "values": [
+  //         "0",
+  //         "1"
+  //       ]
+  //     }
+  //   ]
+  // }
+  // 
+  // If instead you want to only run the webhook on any objects whose
+  // namespace is associated with the "environment" of "prod" or "staging";
+  // you will set the selector as follows:
+  // "namespaceSelector": {
+  //   "matchExpressions": [
+  //     {
+  //       "key": "environment",
+  //       "operator": "In",
+  //       "values": [
+  //         "prod",
+  //         "staging"
+  //       ]
+  //     }
+  //   ]
+  // }
+  // 
+  // See
+  // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+  // for more examples of label selectors.
+  // 
+  // Default to the empty LabelSelector, which matches everything.
+  // +optional
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 5;
+}
+
+// WebhookClientConfig contains the information to make a TLS
+// connection with the webhook
+message WebhookClientConfig {
+  // `url` gives the location of the webhook, in standard URL form
+  // (`[scheme://]host:port/path`). Exactly one of `url` or `service`
+  // must be specified.
+  // 
+  // The `host` should not refer to a service running in the cluster; use
+  // the `service` field instead. The host might be resolved via external
+  // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
+  // in-cluster DNS as that would be a layering violation). `host` may
+  // also be an IP address.
+  // 
+  // Please note that using `localhost` or `127.0.0.1` as a `host` is
+  // risky unless you take great care to run this webhook on all hosts
+  // which run an apiserver which might need to make calls to this
+  // webhook. Such installs are likely to be non-portable, i.e., not easy
+  // to turn up in a new cluster.
+  // 
+  // The scheme must be "https"; the URL must begin with "https://".
+  // 
+  // A path is optional, and if present may be any string permissible in
+  // a URL. You may use the path to pass an arbitrary string to the
+  // webhook, for example, a cluster identifier.
+  // 
+  // Attempting to use a user or basic auth e.g. "user:password@" is not
+  // allowed. Fragments ("#...") and query parameters ("?...") are not
+  // allowed, either.
+  // 
+  // +optional
+  optional string url = 3;
+
+  // `service` is a reference to the service for this webhook. Either
+  // `service` or `url` must be specified.
+  // 
+  // If the webhook is running within the cluster, then you should use `service`.
+  // 
+  // If there is only one port open for the service, that port will be
+  // used. If there are multiple ports open, port 443 will be used if it
+  // is open, otherwise it is an error.
+  // 
+  // +optional
+  optional ServiceReference service = 1;
+
+  // `caBundle` is a PEM encoded CA bundle which will be used to validate
+  // the webhook's server certificate.
+  // Required.
+  optional bytes caBundle = 2;
 }