UNPKG

cdktf-crd

Version:

github.com/glacion/cdktf-typescript-crd

glacion/cdktf-typescript-crd

464 lines (463 loc) 33.4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
import { Manifest, type ManifestConfig } from "@cdktf/provider-kubernetes/lib/manifest"; import { Construct } from "constructs"; export declare class KubernetesWorkloadAllowlistV1Manifest extends Manifest { constructor(scope: Construct, id: string, config: KubernetesWorkloadAllowlistV1ManifestConfig); } export interface KubernetesWorkloadAllowlistV1ManifestConfig extends ManifestConfig { manifest: { apiVersion?: "auto.gke.io/v1"; kind?: "WorkloadAllowlist"; metadata: { annotations?: { [key: string]: string; }; labels?: { [key: string]: string; }; name: string; namespace?: string; }; /** @description GKE Warden constraints that this workload allowlist exempts. */ exemptions: string[]; /** @description PodSpec corev1.PodSpec `json:"podSpec"` */ matchingCriteria: { containers: { /** @description Arguments to the entrypoint. * The container image's CMD is used if this is not provided. * Variable references $(VAR_NAME) are expanded using the container's environment. If a variable * cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced * to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will * produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless * of whether the variable exists or not. Cannot be updated. * More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell */ args?: string[]; /** @description Entrypoint array. Not executed within a shell. * The container image's ENTRYPOINT is used if this is not provided. * Variable references $(VAR_NAME) are expanded using the container's environment. If a variable * cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced * to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will * produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless * of whether the variable exists or not. Cannot be updated. * More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell */ command?: string[]; /** @description List of environment variables to set in the container. * Cannot be updated. */ env?: { /** @description Name of the environment variable. Must be a C_IDENTIFIER. */ name: string; }[]; /** @description List of sources to populate environment variables in the container. * The keys defined within a source must be a C_IDENTIFIER. All invalid keys * will be reported as an event when the container is starting. When a key exists in multiple * sources, the value associated with the last source will take precedence. * Values defined by an Env with a duplicate key will take precedence. * Cannot be updated. */ envFrom?: { /** @description The ConfigMap to select from */ configMapRef?: { /** @description The name of the ConfigMap to select from. * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names */ name?: string; }; /** @description The Secret to select from */ secretRef?: { /** @description The name of the Secret to select from. * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names */ name?: string; }; }[]; /** @description Container image name. * More info: https://kubernetes.io/docs/concepts/containers/images * This field is optional to allow higher level config management to default or override * container images in workload controllers like Deployments and StatefulSets. */ image?: string; /** @description Actions that the management system should take in response to container lifecycle events. * Cannot be updated. */ lifecycle?: { /** @description PostStart is called immediately after a container is created. If the handler fails, * the container is terminated and restarted according to its restart policy. * Other management of the container blocks until the hook completes. * More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks */ postStart?: { /** @description Exec specifies the action to take. */ exec?: { /** @description Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ command?: string[]; }; }; /** @description PreStop is called immediately before a container is terminated due to an * API request or management event such as liveness/startup probe failure, * preemption, resource contention, etc. The handler is not called if the * container crashes or exits. The Pod's termination grace period countdown begins before the * PreStop hook is executed. Regardless of the outcome of the handler, the * container will eventually terminate within the Pod's termination grace * period (unless delayed by finalizers). Other management of the container blocks until the hook completes * or until the termination grace period is reached. * More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks */ preStop?: { /** @description Exec specifies the action to take. */ exec?: { /** @description Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ command?: string[]; }; }; }; /** @description Periodic probe of container liveness. * Container will be restarted if the probe fails. * Cannot be updated. * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes */ livenessProbe?: { /** @description Exec specifies the action to take. */ exec?: { /** @description Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ command?: string[]; }; }; /** @description Name of the container specified as a DNS_LABEL. * Each container in a pod must have a unique name (DNS_LABEL). * Cannot be updated. */ name: string; /** @description Periodic probe of container service readiness. * Container will be removed from service endpoints if the probe fails. * Cannot be updated. * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes */ readinessProbe?: { /** @description Exec specifies the action to take. */ exec?: { /** @description Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ command?: string[]; }; }; /** @description SecurityContext defines the security options the container should be run with. * If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. * More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ */ securityContext?: { /** @description The capabilities to add/drop when running containers. * Defaults to the default set of capabilities granted by the container runtime. * Note that this field cannot be set when spec.os.name is windows. */ capabilities?: { /** @description Added capabilities */ add?: string[]; /** @description Removed capabilities */ drop?: string[]; }; /** @description Run container in privileged mode. * Processes in privileged containers are essentially equivalent to root on the host. * Defaults to false. * Note that this field cannot be set when spec.os.name is windows. */ privileged?: boolean; }; /** @description StartupProbe indicates that the Pod has successfully initialized. * If specified, no other probes are executed until this completes successfully. * If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. * This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, * when it might take a long time to load data or warm a cache, than during steady-state operation. * This cannot be updated. * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes */ startupProbe?: { /** @description Exec specifies the action to take. */ exec?: { /** @description Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ command?: string[]; }; }; /** @description volumeDevices is the list of block devices to be used by the container. */ volumeDevices?: { /** @description devicePath is the path inside of the container that the device will be mapped to. */ devicePath: string; /** @description name must match the name of a persistentVolumeClaim in the pod */ name: string; }[]; /** @description Pod volumes to mount into the container's filesystem. * Cannot be updated. */ volumeMounts?: { /** @description Path within the container at which the volume should be mounted. Must * not contain ':'. */ mountPath: string; /** @description This must match the Name of a Volume. */ name: string; /** @description Mounted read-only if true, read-write otherwise (false or unspecified). * Defaults to false. */ readOnly?: boolean; }[]; }[]; hostIPC?: boolean; hostNetwork?: boolean; hostPID?: boolean; hostUsers?: boolean; initContainers?: { /** @description Arguments to the entrypoint. * The container image's CMD is used if this is not provided. * Variable references $(VAR_NAME) are expanded using the container's environment. If a variable * cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced * to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will * produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless * of whether the variable exists or not. Cannot be updated. * More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell */ args?: string[]; /** @description Entrypoint array. Not executed within a shell. * The container image's ENTRYPOINT is used if this is not provided. * Variable references $(VAR_NAME) are expanded using the container's environment. If a variable * cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced * to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will * produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless * of whether the variable exists or not. Cannot be updated. * More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell */ command?: string[]; /** @description List of environment variables to set in the container. * Cannot be updated. */ env?: { /** @description Name of the environment variable. Must be a C_IDENTIFIER. */ name: string; }[]; /** @description List of sources to populate environment variables in the container. * The keys defined within a source must be a C_IDENTIFIER. All invalid keys * will be reported as an event when the container is starting. When a key exists in multiple * sources, the value associated with the last source will take precedence. * Values defined by an Env with a duplicate key will take precedence. * Cannot be updated. */ envFrom?: { /** @description The ConfigMap to select from */ configMapRef?: { /** @description The name of the ConfigMap to select from. * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names */ name?: string; }; /** @description The Secret to select from */ secretRef?: { /** @description The name of the Secret to select from. * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names */ name?: string; }; }[]; /** @description Container image name. * More info: https://kubernetes.io/docs/concepts/containers/images * This field is optional to allow higher level config management to default or override * container images in workload controllers like Deployments and StatefulSets. */ image?: string; /** @description Actions that the management system should take in response to container lifecycle events. * Cannot be updated. */ lifecycle?: { /** @description PostStart is called immediately after a container is created. If the handler fails, * the container is terminated and restarted according to its restart policy. * Other management of the container blocks until the hook completes. * More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks */ postStart?: { /** @description Exec specifies the action to take. */ exec?: { /** @description Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ command?: string[]; }; }; /** @description PreStop is called immediately before a container is terminated due to an * API request or management event such as liveness/startup probe failure, * preemption, resource contention, etc. The handler is not called if the * container crashes or exits. The Pod's termination grace period countdown begins before the * PreStop hook is executed. Regardless of the outcome of the handler, the * container will eventually terminate within the Pod's termination grace * period (unless delayed by finalizers). Other management of the container blocks until the hook completes * or until the termination grace period is reached. * More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks */ preStop?: { /** @description Exec specifies the action to take. */ exec?: { /** @description Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ command?: string[]; }; }; }; /** @description Periodic probe of container liveness. * Container will be restarted if the probe fails. * Cannot be updated. * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes */ livenessProbe?: { /** @description Exec specifies the action to take. */ exec?: { /** @description Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ command?: string[]; }; }; /** @description Name of the container specified as a DNS_LABEL. * Each container in a pod must have a unique name (DNS_LABEL). * Cannot be updated. */ name: string; /** @description Periodic probe of container service readiness. * Container will be removed from service endpoints if the probe fails. * Cannot be updated. * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes */ readinessProbe?: { /** @description Exec specifies the action to take. */ exec?: { /** @description Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ command?: string[]; }; }; /** @description SecurityContext defines the security options the container should be run with. * If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. * More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ */ securityContext?: { /** @description The capabilities to add/drop when running containers. * Defaults to the default set of capabilities granted by the container runtime. * Note that this field cannot be set when spec.os.name is windows. */ capabilities?: { /** @description Added capabilities */ add?: string[]; /** @description Removed capabilities */ drop?: string[]; }; /** @description Run container in privileged mode. * Processes in privileged containers are essentially equivalent to root on the host. * Defaults to false. * Note that this field cannot be set when spec.os.name is windows. */ privileged?: boolean; }; /** @description StartupProbe indicates that the Pod has successfully initialized. * If specified, no other probes are executed until this completes successfully. * If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. * This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, * when it might take a long time to load data or warm a cache, than during steady-state operation. * This cannot be updated. * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes */ startupProbe?: { /** @description Exec specifies the action to take. */ exec?: { /** @description Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ command?: string[]; }; }; /** @description volumeDevices is the list of block devices to be used by the container. */ volumeDevices?: { /** @description devicePath is the path inside of the container that the device will be mapped to. */ devicePath: string; /** @description name must match the name of a persistentVolumeClaim in the pod */ name: string; }[]; /** @description Pod volumes to mount into the container's filesystem. * Cannot be updated. */ volumeMounts?: { /** @description Path within the container at which the volume should be mounted. Must * not contain ':'. */ mountPath: string; /** @description This must match the Name of a Volume. */ name: string; /** @description Mounted read-only if true, read-write otherwise (false or unspecified). * Defaults to false. */ readOnly?: boolean; }[]; }[]; /** @description PodSecurityContext is functionally a subset of core/v1 PodSecurityContext, * preserving only fields used for allowlisting. */ securityContext?: { /** @description fsGroupChangePolicy defines behavior of changing ownership and permission of the volume * before being exposed inside Pod. This field will only apply to * volume types which support fsGroup based ownership(and permissions). * It will have no effect on ephemeral volume types such as: secret, configmaps * and emptydir. * Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used. * Note that this field cannot be set when spec.os.name is windows. */ fsGroupChangePolicy?: string; }; volumes?: { /** @description gcePersistentDisk represents a GCE Disk resource that is attached to a * kubelet's host machine and then exposed to the pod. * More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk */ gcePersistentDisk?: { /** @description fsType is filesystem type of the volume that you want to mount. * Tip: Ensure that the filesystem type is supported by the host operating system. * Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. * More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk * TODO: how do we prevent errors in the filesystem from compromising the machine */ fsType?: string; /** * Format: int32 * @description partition is the partition in the volume that you want to mount. * If omitted, the default is to mount by volume name. * Examples: For volume /dev/sda1, you specify the partition as "1". * Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). * More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk */ partition?: number; /** @description readOnly here will force the ReadOnly setting in VolumeMounts. * Defaults to false. * More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk */ readOnly?: boolean; }; /** @description hostPath represents a pre-existing file or directory on the host * machine that is directly exposed to the container. This is generally * used for system agents or other privileged things that are allowed * to see the host machine. Most containers will NOT need this. * More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath */ hostPath?: { /** @description path of the directory on the host. * If the path is a symlink, it will follow the link to the real path. * More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath */ path: string; }; /** @description name of the volume. * Must be a DNS_LABEL and unique within the pod. * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names */ name: string; /** @description nfs represents an NFS mount on the host that shares a pod's lifetime * More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs */ nfs?: { /** @description path that is exported by the NFS server. * More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs */ path: string; /** @description readOnly here will force the NFS export to be mounted with read-only permissions. * Defaults to false. * More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs */ readOnly?: boolean; }; /** @description persistentVolumeClaimVolumeSource represents a reference to a * PersistentVolumeClaim in the same namespace. * More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims */ persistentVolumeClaim?: { /** @description readOnly Will force the ReadOnly setting in VolumeMounts. * Default false. */ readOnly?: boolean; }; }[]; }; minGKEVersion?: string; }; }