blob: d3ebf862836a8406d5f3feb3265cc8dcdad982b3 [file] [log] [blame]
Matteo Scandoloa4285862020-12-01 18:10:10 -08001/*
2Copyright 2017 The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17// This file should be consistent with pkg/api/annotation_key_constants.go.
18
19package v1
20
21const (
22 // ImagePolicyFailedOpenKey is added to pods created by failing open when the image policy
23 // webhook backend fails.
24 ImagePolicyFailedOpenKey string = "alpha.image-policy.k8s.io/failed-open"
25
26 // PodPresetOptOutAnnotationKey represents the annotation key for a pod to exempt itself from pod preset manipulation
27 PodPresetOptOutAnnotationKey string = "podpreset.admission.kubernetes.io/exclude"
28
29 // MirrorAnnotationKey represents the annotation key set by kubelets when creating mirror pods
30 MirrorPodAnnotationKey string = "kubernetes.io/config.mirror"
31
32 // TolerationsAnnotationKey represents the key of tolerations data (json serialized)
33 // in the Annotations of a Pod.
34 TolerationsAnnotationKey string = "scheduler.alpha.kubernetes.io/tolerations"
35
36 // TaintsAnnotationKey represents the key of taints data (json serialized)
37 // in the Annotations of a Node.
38 TaintsAnnotationKey string = "scheduler.alpha.kubernetes.io/taints"
39
40 // SeccompPodAnnotationKey represents the key of a seccomp profile applied
41 // to all containers of a pod.
42 // Deprecated: set a pod security context `seccompProfile` field.
43 SeccompPodAnnotationKey string = "seccomp.security.alpha.kubernetes.io/pod"
44
45 // SeccompContainerAnnotationKeyPrefix represents the key of a seccomp profile applied
46 // to one container of a pod.
47 // Deprecated: set a container security context `seccompProfile` field.
48 SeccompContainerAnnotationKeyPrefix string = "container.seccomp.security.alpha.kubernetes.io/"
49
50 // SeccompProfileRuntimeDefault represents the default seccomp profile used by container runtime.
51 // Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
52 SeccompProfileRuntimeDefault string = "runtime/default"
53
54 // SeccompProfileNameUnconfined is the unconfined seccomp profile.
55 SeccompProfileNameUnconfined string = "unconfined"
56
57 // SeccompLocalhostProfileNamePrefix is the prefix for specifying profiles loaded from the node's disk.
58 SeccompLocalhostProfileNamePrefix = "localhost/"
59
60 // AppArmorBetaContainerAnnotationKeyPrefix is the prefix to an annotation key specifying a container's apparmor profile.
61 AppArmorBetaContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
62 // AppArmorBetaDefaultProfileAnnotatoinKey is the annotation key specifying the default AppArmor profile.
63 AppArmorBetaDefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName"
64 // AppArmorBetaAllowedProfileAnnotationKey is the annotation key specifying the allowed AppArmor profiles.
65 AppArmorBetaAllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames"
66
67 // AppArmorBetaProfileRuntimeDefault is the profile specifying the runtime default.
68 AppArmorBetaProfileRuntimeDefault = "runtime/default"
69
70 // AppArmorBetaProfileNamePrefix is the prefix for specifying profiles loaded on the node.
71 AppArmorBetaProfileNamePrefix = "localhost/"
72
73 // AppArmorBetaProfileNameUnconfined is the Unconfined AppArmor profile
74 AppArmorBetaProfileNameUnconfined = "unconfined"
75
76 // DeprecatedSeccompProfileDockerDefault represents the default seccomp profile used by docker.
77 // Deprecated: set a pod or container security context `seccompProfile` of type "RuntimeDefault" instead.
78 DeprecatedSeccompProfileDockerDefault string = "docker/default"
79
80 // PreferAvoidPodsAnnotationKey represents the key of preferAvoidPods data (json serialized)
81 // in the Annotations of a Node.
82 PreferAvoidPodsAnnotationKey string = "scheduler.alpha.kubernetes.io/preferAvoidPods"
83
84 // ObjectTTLAnnotations represents a suggestion for kubelet for how long it can cache
85 // an object (e.g. secret, config map) before fetching it again from apiserver.
86 // This annotation can be attached to node.
87 ObjectTTLAnnotationKey string = "node.alpha.kubernetes.io/ttl"
88
89 // annotation key prefix used to identify non-convertible json paths.
90 NonConvertibleAnnotationPrefix = "non-convertible.kubernetes.io"
91
92 kubectlPrefix = "kubectl.kubernetes.io/"
93
94 // LastAppliedConfigAnnotation is the annotation used to store the previous
95 // configuration of a resource for use in a three way diff by UpdateApplyAnnotation.
96 LastAppliedConfigAnnotation = kubectlPrefix + "last-applied-configuration"
97
98 // AnnotationLoadBalancerSourceRangesKey is the key of the annotation on a service to set allowed ingress ranges on their LoadBalancers
99 //
100 // It should be a comma-separated list of CIDRs, e.g. `0.0.0.0/0` to
101 // allow full access (the default) or `18.0.0.0/8,56.0.0.0/8` to allow
102 // access only from the CIDRs currently allocated to MIT & the USPS.
103 //
104 // Not all cloud providers support this annotation, though AWS & GCE do.
105 AnnotationLoadBalancerSourceRangesKey = "service.beta.kubernetes.io/load-balancer-source-ranges"
106
107 // EndpointsLastChangeTriggerTime is the annotation key, set for endpoints objects, that
108 // represents the timestamp (stored as RFC 3339 date-time string, e.g. '2018-10-22T19:32:52.1Z')
109 // of the last change, of some Pod or Service object, that triggered the endpoints object change.
110 // In other words, if a Pod / Service changed at time T0, that change was observed by endpoints
111 // controller at T1, and the Endpoints object was changed at T2, the
112 // EndpointsLastChangeTriggerTime would be set to T0.
113 //
114 // The "endpoints change trigger" here means any Pod or Service change that resulted in the
115 // Endpoints object change.
116 //
117 // Given the definition of the "endpoints change trigger", please note that this annotation will
118 // be set ONLY for endpoints object changes triggered by either Pod or Service change. If the
119 // Endpoints object changes due to other reasons, this annotation won't be set (or updated if it's
120 // already set).
121 //
122 // This annotation will be used to compute the in-cluster network programming latency SLI, see
123 // https://github.com/kubernetes/community/blob/master/sig-scalability/slos/network_programming_latency.md
124 EndpointsLastChangeTriggerTime = "endpoints.kubernetes.io/last-change-trigger-time"
125
126 // MigratedPluginsAnnotationKey is the annotation key, set for CSINode objects, that is a comma-separated
127 // list of in-tree plugins that will be serviced by the CSI backend on the Node represented by CSINode.
128 // This annotation is used by the Attach Detach Controller to determine whether to use the in-tree or
129 // CSI Backend for a volume plugin on a specific node.
130 MigratedPluginsAnnotationKey = "storage.alpha.kubernetes.io/migrated-plugins"
131)