k8s.io/kubernetes@v1.29.3/pkg/apis/certificates/types.go (about) 1 /* 2 Copyright 2016 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package certificates 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 api "k8s.io/kubernetes/pkg/apis/core" 22 ) 23 24 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 25 26 // Describes a certificate signing request 27 type CertificateSigningRequest struct { 28 metav1.TypeMeta 29 // +optional 30 metav1.ObjectMeta 31 32 // The certificate request itself and any additional information. 33 // +optional 34 Spec CertificateSigningRequestSpec 35 36 // Derived information about the request. 37 // +optional 38 Status CertificateSigningRequestStatus 39 } 40 41 // This information is immutable after the request is created. Only the Request 42 // and Usages fields can be set on creation, other fields are derived by 43 // Kubernetes and cannot be modified by users. 44 type CertificateSigningRequestSpec struct { 45 // Base64-encoded PKCS#10 CSR data 46 Request []byte 47 48 // signerName indicates the requested signer, and is a qualified name. 49 // 50 // List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector. 51 // 52 // Well-known Kubernetes signers are: 53 // 1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver. 54 // Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager. 55 // 2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver. 56 // Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. 57 // 3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely. 58 // Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. 59 // 60 // More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers 61 // 62 // Custom signerNames can also be specified. The signer defines: 63 // 1. Trust distribution: how trust (CA bundles) are distributed. 64 // 2. Permitted subjects: and behavior when a disallowed subject is requested. 65 // 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested. 66 // 4. Required, permitted, or forbidden key usages / extended key usages. 67 // 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin. 68 // 6. Whether or not requests for CA certificates are allowed. 69 SignerName string 70 71 // expirationSeconds is the requested duration of validity of the issued 72 // certificate. The certificate signer may issue a certificate with a different 73 // validity duration so a client must check the delta between the notBefore and 74 // and notAfter fields in the issued certificate to determine the actual duration. 75 // 76 // The v1.22+ in-tree implementations of the well-known Kubernetes signers will 77 // honor this field as long as the requested duration is not greater than the 78 // maximum duration they will honor per the --cluster-signing-duration CLI 79 // flag to the Kubernetes controller manager. 80 // 81 // Certificate signers may not honor this field for various reasons: 82 // 83 // 1. Old signer that is unaware of the field (such as the in-tree 84 // implementations prior to v1.22) 85 // 2. Signer whose configured maximum is shorter than the requested duration 86 // 3. Signer whose configured minimum is longer than the requested duration 87 // 88 // The minimum valid value for expirationSeconds is 600, i.e. 10 minutes. 89 // 90 // +optional 91 ExpirationSeconds *int32 92 93 // usages specifies a set of usage contexts the key will be 94 // valid for. 95 // See: 96 // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 97 // https://tools.ietf.org/html/rfc5280#section-4.2.1.12 98 Usages []KeyUsage 99 100 // Information about the requesting user. 101 // See user.Info interface for details. 102 // +optional 103 Username string 104 // UID information about the requesting user. 105 // See user.Info interface for details. 106 // +optional 107 UID string 108 // Group information about the requesting user. 109 // See user.Info interface for details. 110 // +optional 111 Groups []string 112 // Extra information about the requesting user. 113 // See user.Info interface for details. 114 // +optional 115 Extra map[string]ExtraValue 116 } 117 118 // Built in signerName values that are honoured by kube-controller-manager. 119 // None of these usages are related to ServiceAccount token secrets 120 // `.data[ca.crt]` in any way. 121 const ( 122 // Signs certificates that will be honored as client-certs by the 123 // kube-apiserver. Never auto-approved by kube-controller-manager. 124 KubeAPIServerClientSignerName = "kubernetes.io/kube-apiserver-client" 125 126 // Signs client certificates that will be honored as client-certs by the 127 // kube-apiserver for a kubelet. 128 // May be auto-approved by kube-controller-manager. 129 KubeAPIServerClientKubeletSignerName = "kubernetes.io/kube-apiserver-client-kubelet" 130 131 // Signs serving certificates that are honored as a valid kubelet serving 132 // certificate by the kube-apiserver, but has no other guarantees. 133 KubeletServingSignerName = "kubernetes.io/kubelet-serving" 134 135 // Has no guarantees for trust at all. Some distributions may honor these 136 // as client certs, but that behavior is not standard kubernetes behavior. 137 LegacyUnknownSignerName = "kubernetes.io/legacy-unknown" 138 ) 139 140 // ExtraValue masks the value so protobuf can generate 141 type ExtraValue []string 142 143 type CertificateSigningRequestStatus struct { 144 // Conditions applied to the request, such as approval or denial. 145 // +optional 146 Conditions []CertificateSigningRequestCondition 147 148 // If request was approved, the controller will place the issued certificate here. 149 // +optional 150 Certificate []byte 151 } 152 153 type RequestConditionType string 154 155 // These are the possible conditions for a certificate request. 156 const ( 157 CertificateApproved RequestConditionType = "Approved" 158 CertificateDenied RequestConditionType = "Denied" 159 CertificateFailed RequestConditionType = "Failed" 160 ) 161 162 type CertificateSigningRequestCondition struct { 163 // type of the condition. Known conditions include "Approved", "Denied", and "Failed". 164 Type RequestConditionType 165 // Status of the condition, one of True, False, Unknown. 166 // Approved, Denied, and Failed conditions may not be "False" or "Unknown". 167 // If unset, should be treated as "True". 168 // +optional 169 Status api.ConditionStatus 170 // brief reason for the request state 171 // +optional 172 Reason string 173 // human readable message with details about the request state 174 // +optional 175 Message string 176 // timestamp for the last update to this condition 177 // +optional 178 LastUpdateTime metav1.Time 179 // lastTransitionTime is the time the condition last transitioned from one status to another. 180 // +optional 181 LastTransitionTime metav1.Time 182 } 183 184 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 185 186 type CertificateSigningRequestList struct { 187 metav1.TypeMeta 188 // +optional 189 metav1.ListMeta 190 191 // +optional 192 Items []CertificateSigningRequest 193 } 194 195 // KeyUsages specifies valid usage contexts for keys. 196 // See: 197 // 198 // https://tools.ietf.org/html/rfc5280#section-4.2.1.3 199 // https://tools.ietf.org/html/rfc5280#section-4.2.1.12 200 type KeyUsage string 201 202 const ( 203 UsageSigning KeyUsage = "signing" 204 UsageDigitalSignature KeyUsage = "digital signature" 205 UsageContentCommitment KeyUsage = "content commitment" 206 UsageKeyEncipherment KeyUsage = "key encipherment" 207 UsageKeyAgreement KeyUsage = "key agreement" 208 UsageDataEncipherment KeyUsage = "data encipherment" 209 UsageCertSign KeyUsage = "cert sign" 210 UsageCRLSign KeyUsage = "crl sign" 211 UsageEncipherOnly KeyUsage = "encipher only" 212 UsageDecipherOnly KeyUsage = "decipher only" 213 UsageAny KeyUsage = "any" 214 UsageServerAuth KeyUsage = "server auth" 215 UsageClientAuth KeyUsage = "client auth" 216 UsageCodeSigning KeyUsage = "code signing" 217 UsageEmailProtection KeyUsage = "email protection" 218 UsageSMIME KeyUsage = "s/mime" 219 UsageIPsecEndSystem KeyUsage = "ipsec end system" 220 UsageIPsecTunnel KeyUsage = "ipsec tunnel" 221 UsageIPsecUser KeyUsage = "ipsec user" 222 UsageTimestamping KeyUsage = "timestamping" 223 UsageOCSPSigning KeyUsage = "ocsp signing" 224 UsageMicrosoftSGC KeyUsage = "microsoft sgc" 225 UsageNetscapeSGC KeyUsage = "netscape sgc" 226 ) 227 228 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 229 230 // ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors 231 // (root certificates). 232 // 233 // ClusterTrustBundle objects are considered to be readable by any authenticated 234 // user in the cluster. 235 // 236 // It can be optionally associated with a particular assigner, in which case it 237 // contains one valid set of trust anchors for that signer. Signers may have 238 // multiple associated ClusterTrustBundles; each is an independent set of trust 239 // anchors for that signer. 240 type ClusterTrustBundle struct { 241 metav1.TypeMeta 242 // +optional 243 metav1.ObjectMeta 244 245 // Spec contains the signer (if any) and trust anchors. 246 // +optional 247 Spec ClusterTrustBundleSpec 248 } 249 250 // ClusterTrustBundleSpec contains the signer and trust anchors. 251 type ClusterTrustBundleSpec struct { 252 // SignerName indicates the associated signer, if any. 253 SignerName string 254 255 // TrustBundle contains the individual X.509 trust anchors for this 256 // bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates. 257 // 258 // The data must consist only of PEM certificate blocks that parse as valid 259 // X.509 certificates. Each certificate must include a basic constraints 260 // extension with the CA bit set. The API server will reject objects that 261 // contain duplicate certificates, or that use PEM block headers. 262 // 263 // Users of ClusterTrustBundles, including Kubelet, are free to reorder and 264 // deduplicate certificate blocks in this file according to their own logic, 265 // as well as to drop PEM block headers and inter-block data. 266 TrustBundle string 267 } 268 269 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 270 271 // ClusterTrustBundleList is a collection of ClusterTrustBundle objects 272 type ClusterTrustBundleList struct { 273 metav1.TypeMeta 274 // +optional 275 metav1.ListMeta 276 277 // Items is a collection of ClusterTrustBundle objects 278 Items []ClusterTrustBundle 279 } 280 281 // MaxTrustBundleSize is the maximimum size of a single trust bundle field. 282 const MaxTrustBundleSize = 1 * 1024 * 1024