2017-08-04 11:13:19 +00:00
|
|
|
/*
|
|
|
|
Copyright 2017 The Kubernetes Authors.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
// This file should be consistent with pkg/api/v1/annotation_key_constants.go.
|
|
|
|
|
|
|
|
package api
|
|
|
|
|
|
|
|
const (
|
|
|
|
// ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
|
|
|
|
// webhook backend fails.
|
|
|
|
ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"
|
|
|
|
|
|
|
|
// PodPresetOptOutAnnotationKey represents the annotation key for a pod to exempt itself from pod preset manipulation
|
|
|
|
PodPresetOptOutAnnotationKey string = "podpreset.admission.kubernetes.io/exclude"
|
|
|
|
|
|
|
|
// MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
|
|
|
|
MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"
|
|
|
|
|
|
|
|
// TolerationsAnnotationKey represents the key of tolerations data (json serialized)
|
|
|
|
// in the Annotations of a Pod.
|
|
|
|
TolerationsAnnotationKey string = "scheduler.alpha.kubernetes.io/tolerations"
|
|
|
|
|
|
|
|
// TaintsAnnotationKey represents the key of taints data (json serialized)
|
|
|
|
// in the Annotations of a Node.
|
|
|
|
TaintsAnnotationKey string = "scheduler.alpha.kubernetes.io/taints"
|
|
|
|
|
|
|
|
// SeccompPodAnnotationKey represents the key of a seccomp profile applied
|
|
|
|
// to all containers of a pod.
|
|
|
|
SeccompPodAnnotationKey string = "seccomp.security.alpha.kubernetes.io/pod"
|
|
|
|
|
|
|
|
// SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
|
|
|
|
// to one container of a pod.
|
|
|
|
SeccompContainerAnnotationKeyPrefix string = "container.seccomp.security.alpha.kubernetes.io/"
|
|
|
|
|
|
|
|
// CreatedByAnnotation represents the key used to store the spec(json)
|
|
|
|
// used to create the resource.
|
2017-09-26 14:23:09 +00:00
|
|
|
// This field is deprecated in favor of ControllerRef (see #44407).
|
|
|
|
// TODO(#50720): Remove this field in v1.9.
|
2017-08-04 11:13:19 +00:00
|
|
|
CreatedByAnnotation = "kubernetes.io/created-by"
|
|
|
|
|
|
|
|
// PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
|
|
|
|
// in the Annotations of a Node.
|
|
|
|
PreferAvoidPodsAnnotationKey string = "scheduler.alpha.kubernetes.io/preferAvoidPods"
|
|
|
|
|
|
|
|
// SysctlsPodAnnotationKey represents the key of sysctls which are set for the infrastructure
|
|
|
|
// container of a pod. The annotation value is a comma separated list of sysctl_name=value
|
|
|
|
// key-value pairs. Only a limited set of whitelisted and isolated sysctls is supported by
|
|
|
|
// the kubelet. Pods with other sysctls will fail to launch.
|
|
|
|
SysctlsPodAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
|
|
|
|
|
|
|
|
// UnsafeSysctlsPodAnnotationKey represents the key of sysctls which are set for the infrastructure
|
|
|
|
// container of a pod. The annotation value is a comma separated list of sysctl_name=value
|
|
|
|
// key-value pairs. Unsafe sysctls must be explicitly enabled for a kubelet. They are properly
|
|
|
|
// namespaced to a pod or a container, but their isolation is usually unclear or weak. Their use
|
|
|
|
// is at-your-own-risk. Pods that attempt to set an unsafe sysctl that is not enabled for a kubelet
|
|
|
|
// will fail to launch.
|
|
|
|
UnsafeSysctlsPodAnnotationKey string = "security.alpha.kubernetes.io/unsafe-sysctls"
|
|
|
|
|
|
|
|
// ObjectTTLAnnotations represents a suggestion for kubelet for how long it can cache
|
|
|
|
// an object (e.g. secret, config map) before fetching it again from apiserver.
|
|
|
|
// This annotation can be attached to node.
|
|
|
|
ObjectTTLAnnotationKey string = "node.alpha.kubernetes.io/ttl"
|
|
|
|
|
|
|
|
// annotation key prefix used to identify non-convertible json paths.
|
|
|
|
NonConvertibleAnnotationPrefix = "non-convertible.kubernetes.io"
|
|
|
|
|
|
|
|
kubectlPrefix = "kubectl.kubernetes.io/"
|
|
|
|
|
|
|
|
// LastAppliedConfigAnnotation is the annotation used to store the previous
|
|
|
|
// configuration of a resource for use in a three way diff by UpdateApplyAnnotation.
|
|
|
|
LastAppliedConfigAnnotation = kubectlPrefix + "last-applied-configuration"
|
|
|
|
|
|
|
|
// AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers
|
|
|
|
//
|
|
|
|
// It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to
|
|
|
|
// allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow
|
|
|
|
// access only from the CIDRs currently allocated to MIT & the USPS.
|
|
|
|
//
|
|
|
|
// Not all cloud providers support this annotation, though AWS & GCE do.
|
|
|
|
AnnotationLoadBalancerSourceRangesKey = "service.beta.kubernetes.io/load-balancer-source-ranges"
|
|
|
|
)
|