├── .github └── PULL_REQUEST_TEMPLATE.md ├── CONTRIBUTING.md ├── LICENSE ├── OWNERS ├── README.md ├── SECURITY_CONTACTS ├── code-of-conduct.md ├── doc.go ├── go.mod ├── go.sum └── pkg ├── apis ├── runtime │ └── v1 │ │ ├── api.pb.go │ │ ├── api.proto │ │ └── constants.go ├── services.go └── testing │ ├── fake_image_service.go │ ├── fake_runtime_service.go │ └── utils.go └── errors ├── doc.go ├── errors.go └── errors_test.go /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | Sorry, we do not accept changes directly against this repository. Please see 2 | CONTRIBUTING.md for information on where and how to contribute instead. 3 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing guidelines 2 | 3 | Do not open pull requests directly against this repository, they will be ignored. 4 | Instead, please open pull requests against [kubernetes/kubernetes](https://git.k8s.io/kubernetes/). 5 | Please follow the same [contributing guide](https://git.k8s.io/kubernetes/CONTRIBUTING.md) 6 | you would follow for any other pull request made to kubernetes/kubernetes. 7 | 8 | Issues related to CRI API can be filed at [kubernetes/kubernetes repository](https://github.com/kubernetes/kubernetes/issues). 9 | For issues in specific implementations of CRI API (e.g. container runtime) - follow processes of the specific runtime. 10 | For support, ask your Kubernetes vendor or ask at the [forum](https://discuss.kubernetes.io/). 11 | 12 | This repository is published from [kubernetes/kubernetes/staging/src/k8s.io/cri-api](https://git.k8s.io/kubernetes/staging/src/k8s.io/cri-api) 13 | by the [kubernetes publishing-bot](https://git.k8s.io/publishing-bot). 14 | 15 | Please see [Staging Directory and Publishing](https://git.k8s.io/community/contributors/devel/sig-architecture/staging.md) for more information. 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /OWNERS: -------------------------------------------------------------------------------- 1 | # See the OWNERS docs at https://go.k8s.io/owners 2 | 3 | # Disable inheritance as this is owned by sig-node (should mirror same contents as pkg/kubelet/OWNERS) 4 | options: 5 | no_parent_owners: true 6 | filters: 7 | # to use filters all entries must be under filters https://go.k8s.io/owners/#filters 8 | # use .* for approvers that should have all files 9 | ".*": 10 | approvers: 11 | - dims 12 | - feiskyer 13 | - sig-node-approvers 14 | - api-approvers 15 | - sig-node-cri-approvers 16 | reviewers: 17 | - sig-node-reviewers 18 | - dims 19 | labels: 20 | - sig/node 21 | - area/kubelet 22 | emeritus_approvers: 23 | - resouer 24 | # go.{mod,sum} files relate to go dependencies, and should be reviewed by the 25 | # dep-approvers 26 | "go\\.(mod|sum)$": 27 | approvers: 28 | - dep-approvers 29 | reviewers: 30 | - dep-reviewers 31 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Purpose 2 | 3 | This repository contains the definitions for the Container Runtime Interface (CRI). 4 | CRI is a plugin interface which enables kubelet to use a wide variety of container runtimes, 5 | without the need to recompile. CRI consists of a protocol buffers and gRPC API. 6 | Read more about CRI API at [kubernetes docs](https://kubernetes.io/docs/concepts/architecture/cri/). 7 | 8 | The repository [kubernetes/cri-api](https://github.com/kubernetes/cri-api) is a mirror of https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/cri-api. 9 | Please do **not** file issues or submit PRs against the [kubernetes/cri-api](https://github.com/kubernetes/cri-api) 10 | repository as it is readonly, all development is done in [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes). 11 | 12 | The CRI API is defined in [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes) 13 | repository and is **only** intended to be used for kubelet to container runtime 14 | interactions, or for node-level troubleshooting using a tool such as `crictl`. 15 | It is **not** a common purpose container runtime API for general use, and is intended 16 | to be Kubernetes-centric. We try to avoid it, but there may be logic within a container 17 | runtime that optimizes for the order or specific parameters of call(s) that the kubelet 18 | makes. 19 | 20 | ## Version skew policy and feature development 21 | 22 | Please read about: 23 | 24 | - [CRI API version skew policy](https://kubernetes.dev/docs/code/cri-api-version-skew-policy/) 25 | - [Kubernetes feature development and container runtimes](https://kubernetes.dev/docs/code/cri-api-dev-policies/) 26 | 27 | ## Community, discussion, contribution, and support 28 | 29 | Learn how to engage with the Kubernetes community on the [community 30 | page](https://www.k8s.dev/community/). 31 | 32 | You can reach the maintainers of this repository at: 33 | 34 | - Slack: #sig-node (on https://kubernetes.slack.com -- get an 35 | invite at [slack.kubernetes.io](https://slack.kubernetes.io)) 36 | - Mailing List: 37 | https://groups.google.com/a/kubernetes.io/g/sig-node 38 | 39 | Issues can be filed at https://github.com/kubernetes/kubernetes/issues. See [CONTRIBUTING.md](CONTRIBUTING.md). 40 | 41 | ### Code of Conduct 42 | 43 | Participation in the Kubernetes community is governed by the [Kubernetes 44 | Code of Conduct](code-of-conduct.md). 45 | 46 | ### Contribution Guidelines 47 | 48 | See [CONTRIBUTING.md](CONTRIBUTING.md) for more information. Please note that [kubernetes/cri-api](https://github.com/kubernetes/cri-api) 49 | is a readonly mirror repository, all development is done at [kubernetes/kubernetes](https://github.com/kubernetes/kubernetes). 50 | 51 | ## Change history 52 | 53 | Here is the change history of the Container Runtime Interface protocol. The change history is maintained manually: 54 | 55 | ### v1.20 56 | 57 | `git diff v1.19.0 v1.20.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 58 | 59 | - CRI [v1 introduced](https://github.com/kubernetes/kubernetes/pull/96387) 60 | 61 | ### v1.21 62 | 63 | `git diff v1.20.0 v1.21.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 64 | 65 | No changes 66 | 67 | ### v1.22 68 | 69 | `git diff v1.21.0 v1.22.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 70 | 71 | - [Windows host process support](https://github.com/kubernetes/kubernetes/pull/99576) 72 | - `PodSandboxConfig` has `windows` field of type `WindowsPodSandboxConfig` 73 | - New type `WindowsPodSandboxConfig` introduced 74 | - New type `WindowsSandboxSecurityContext` introduced 75 | - The type `WindowsContainerSecurityContext` has a new `host_process` boolean field 76 | 77 | - [Feature: add unified on CRI to support cgroup v2](https://github.com/kubernetes/kubernetes/pull/102578) 78 | - The type `LinuxContainerResources` has a new field `unified` which is a map of strings 79 | 80 | - [Alpha node swap support](https://github.com/kubernetes/kubernetes/pull/102823) 81 | - The type `LinuxContainerResources` has a new `memory_swap_limit_in_bytes` int64 field 82 | 83 | ### v1.23 84 | 85 | `git diff v1.22.0 v1.23.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 86 | 87 | - [CRI: add fields for pod level stats to satisfy the /stats/summary API](https://github.com/kubernetes/kubernetes/pull/102789) 88 | - New functions `PodSandboxStats`, `ListPodSandboxStats` with the corresponding types of request and response objects are introduced 89 | 90 | - [pass sandbox resource requirements over CRI](https://github.com/kubernetes/kubernetes/pull/104886) 91 | - New fields on `LinuxPodSandboxConfig`: `overhead` and `resources` of type `LinuxContainerResources`. 92 | 93 | - [prevents garbage collection from removing pinned images](https://github.com/kubernetes/kubernetes/pull/103299) 94 | - The type `Image` has a new boolean field `pinned` 95 | 96 | ### v1.24 97 | 98 | `git diff v1.23.0 v1.24.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 99 | 100 | - [Update CRI-API Capabilities to include a field that allows us to set ambient capabilities](https://github.com/kubernetes/kubernetes/pull/104620) 101 | - The type `Capability` has a new string field `add_ambient_capabilities` 102 | 103 | - [CRI-API - Add rootfs size to WindowsContainerResources](https://github.com/kubernetes/kubernetes/pull/108894) 104 | - The type `WindowsContainerResources` has a new int64 field `rootfs_size_in_bytes` 105 | 106 | ### v1.25 107 | 108 | `git diff v1.24.0 v1.25.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 109 | 110 | 111 | - [kubelet: add CRI definitions for user namespaces](https://github.com/kubernetes/kubernetes/pull/110535) 112 | - The new type `UserNamespace` introduced to represent user namespaces id mapping 113 | - The type `NamespaceOption` has a new field `userns_options` of type `UserNamespace` 114 | 115 | - [Minimal checkpointing support](https://github.com/kubernetes/kubernetes/pull/104907) 116 | - The new method `CheckpointContainer` introduced with the corresponding request and response types 117 | 118 | - [Update CRI API to support Evented PLEG](https://github.com/kubernetes/kubernetes/pull/111642) 119 | - The new streaming method `GetContainerEvents` is introduced with the corresponding request and response types 120 | 121 | - [CRI changes to support in-place pod resize](https://github.com/kubernetes/kubernetes/pull/111645) 122 | - The new type `ContainerResources` is introduced 123 | - The type `ContainerStatus` has a new field `resources` of type `ContainerResources` 124 | - The semantic of `UpdateContainerResources` updated. The method must be implemented as synchronous and return error on failure 125 | 126 | ### v1.26 127 | 128 | `git diff v1.25.0 v1.26.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 129 | 130 | - [CRI: Add Windows Podsandbox Stats](https://github.com/kubernetes/kubernetes/pull/110754) 131 | - Added fields to the type `WindowsPodSandboxStats` expressing stats required to be collected from windows pods. 132 | 133 | - [Windows hostnetwork alpha](https://github.com/kubernetes/kubernetes/pull/112961) 134 | - New type `WindowsNamespaceOption` introduced 135 | - The type `WindowsSandboxSecurityContext` has a new field `namespace_options` of type `WindowsNamespaceOption` 136 | 137 | - [Improve the API description of `PodSecurityContext.SupplementalGroups` to clarify its unfamiliar behavior](https://github.com/kubernetes/kubernetes/pull/113047) 138 | - Clarified the expected behavior of `SupplementalGroups` field of `PodSecurityContext` 139 | 140 | - [Add Support for Evented PLEG](https://github.com/kubernetes/kubernetes/pull/111384) 141 | - The type `ContainerEventResponse` updated: the field `pod_sandbox_metadata` removed and fields `pod_sandbox_status` and `containers_statuses` added. 142 | - The type `PodSandboxStatusResponse` has a new fields `containers_statuses` and `timestamp` 143 | 144 | ### v1.27 145 | 146 | `git diff v1.26.0 v1.27.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 147 | 148 | - [CRI: Add CDI device info for containers](https://github.com/kubernetes/kubernetes/pull/115891/) 149 | - New type `CDIDevice` was introduced and added to container config 150 | 151 | - [Add mappings for volumes](https://github.com/kubernetes/kubernetes/pull/116377) 152 | - Added new fields to the type `Mount` expressing runtime UID/GID mappings for the mount. 153 | 154 | ### v1.28 155 | 156 | `git diff v1.27.0 v1.28.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 157 | 158 | - [cri-api: fix comment lines about PROPAGATION_PRIVATE](https://github.com/kubernetes/kubernetes/pull/115704) 159 | - Fixed comment lines about PROPAGATION_PRIVATE 160 | 161 | - [Add user specified image to CRI ContainerConfig](https://github.com/kubernetes/kubernetes/pull/118652) 162 | - Added the `user_specified_image` field to type `ImageSpec` 163 | 164 | - [kubelet: get cgroup driver config from CRI ](https://github.com/kubernetes/kubernetes/pull/118770) 165 | - Added rpc for querying runtime configuration 166 | - Added cavieats about cgroup driver field 167 | 168 | - [Add swap to stats to Summary API and Prometheus endpoints (/stats/summary and /metrics/resource)](https://github.com/kubernetes/kubernetes/pull/118865) 169 | - Added `SwapUsage` type 170 | - Added `SwapUsage` field to `ContainerStats` type 171 | 172 | - [Expose commit memory used in WindowsMemoryUsage struct](https://github.com/kubernetes/kubernetes/pull/119238) 173 | - Added the `commit_memory_bytes` field to type `WindowsMemoryUsage` 174 | 175 | ### v1.29 176 | 177 | `git diff v1.28.0 v1.29.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 178 | 179 | - [Add runtime handler field to ImageSpec struct](https://github.com/kubernetes/kubernetes/pull/121121) 180 | - Added `runtime_handler` field to type `ImageSpec` 181 | 182 | - [Add container filesystem to the ImageFsInfoResponse](https://github.com/kubernetes/kubernetes/pull/120914) 183 | - Added `container_filesystems` field to type `ImageFsInfoResponse` 184 | 185 | ### v1.30 186 | 187 | `git diff v1.29.0 v1.30.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 188 | 189 | - [Recursive Read-only (RRO) mounts](https://github.com/kubernetes/kubernetes/pull/123272) 190 | - Added RuntimeHandler and RuntimeHandlerFeatures type 191 | - Added `recursive_read_only` field to type `Mount` 192 | - Added `runtime_handlers` field to type `StatusResponse` 193 | 194 | - [Add user_namespaces field to RuntimeHandlerFeatures](https://github.com/kubernetes/kubernetes/pull/123356) 195 | - Added `user_namespaces` field to type `RuntimeHandlerFeatures` 196 | 197 | - [Add image_id to CRI Container message](https://github.com/kubernetes/kubernetes/pull/123508) 198 | - Added `image_id` field to type `Container` 199 | 200 | - [Add image_id to CRI ContainerStatus message](https://github.com/kubernetes/kubernetes/pull/123583) 201 | - Added `image_id` field to type `ContainerStatus` 202 | 203 | ### v1.31 204 | 205 | `git diff v1.30.0 v1.31.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 206 | 207 | - [KEP-3619: Add NodeStatus.Features.SupplementalGroupsPolicy API and e2e](https://github.com/kubernetes/kubernetes/pull/125470) 208 | - Added `features` field to the type `StatusResponse` for the runtime to kubelet handshake on what features are supported 209 | 210 | - [KEP-3619: Fine-grained SupplementalGroups control](https://github.com/kubernetes/kubernetes/pull/117842) 211 | - Added `supplemental_groups_policy` field to types `LinuxContainerSecurityContext` and `LinuxSandboxSecurityContext` 212 | - Added `user` field to the type `ContainerStatus` to represent actual user for the container 213 | 214 | - [[KEP-4639] Add OCI VolumeSource CRI API](https://github.com/kubernetes/kubernetes/pull/125659) 215 | - Added `image` field to the type `Mount` to represent the OCI VolumeSource 216 | 217 | ### v1.32 218 | 219 | `git diff v1.31.0 v1.32.0 -- staging/src/k8s.io/cri-api/pkg/apis/runtime/v1/api.proto` 220 | 221 | - [CRI: Add field to support CPU affinity on Windows](https://github.com/kubernetes/kubernetes/pull/124285) 222 | - CRI field `affinity_cpus` to `WindowsContainerResources` struct to support CPU affinity on Windows. 223 | This field will be used by Windows CPU manager to set the logical processors to affinitize 224 | for a particular container down to containerd/hcsshim. 225 | -------------------------------------------------------------------------------- /SECURITY_CONTACTS: -------------------------------------------------------------------------------- 1 | # Defined below are the security contacts for this repo. 2 | # 3 | # They are the contact point for the Product Security Committee to reach out 4 | # to for triaging and handling of incoming issues. 5 | # 6 | # The below names agree to abide by the 7 | # [Embargo Policy](https://git.k8s.io/security/private-distributors-list.md#embargo-policy) 8 | # and will be removed and replaced if they violate that agreement. 9 | # 10 | # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE 11 | # INSTRUCTIONS AT https://kubernetes.io/security/ 12 | 13 | tallclair 14 | yujuhong 15 | dims 16 | cjcullen 17 | joelsmith 18 | liggitt 19 | philips 20 | -------------------------------------------------------------------------------- /code-of-conduct.md: -------------------------------------------------------------------------------- 1 | # Kubernetes Community Code of Conduct 2 | 3 | Please refer to our [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md) 4 | -------------------------------------------------------------------------------- /doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2021 The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package criapi 18 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | // This is a generated file. Do not edit directly. 2 | 3 | module k8s.io/cri-api 4 | 5 | go 1.24.0 6 | 7 | godebug default=go1.24 8 | 9 | require ( 10 | github.com/gogo/protobuf v1.3.2 11 | github.com/stretchr/testify v1.10.0 12 | google.golang.org/grpc v1.72.1 13 | ) 14 | 15 | require ( 16 | github.com/davecgh/go-spew v1.1.1 // indirect 17 | github.com/google/go-cmp v0.7.0 // indirect 18 | github.com/kr/pretty v0.3.1 // indirect 19 | github.com/pmezard/go-difflib v1.0.0 // indirect 20 | github.com/rogpeppe/go-internal v1.13.1 // indirect 21 | go.opentelemetry.io/otel v1.35.0 // indirect 22 | golang.org/x/net v0.38.0 // indirect 23 | golang.org/x/sys v0.31.0 // indirect 24 | golang.org/x/text v0.23.0 // indirect 25 | google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect 26 | google.golang.org/protobuf v1.36.5 // indirect 27 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect 28 | gopkg.in/yaml.v3 v3.0.1 // indirect 29 | ) 30 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= 2 | github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= 3 | github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 4 | github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= 5 | github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= 6 | github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= 7 | github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= 8 | github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= 9 | github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= 10 | github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= 11 | github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= 12 | github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= 13 | github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= 14 | github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= 15 | github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 16 | github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= 17 | github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= 18 | github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= 19 | github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= 20 | github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= 21 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 22 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 23 | github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= 24 | github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= 25 | github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= 26 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 27 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 28 | github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= 29 | github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= 30 | github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= 31 | github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= 32 | github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= 33 | github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 34 | github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= 35 | go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= 36 | go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= 37 | go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ= 38 | go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y= 39 | go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M= 40 | go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE= 41 | go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A= 42 | go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU= 43 | go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk= 44 | go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w= 45 | go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs= 46 | go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc= 47 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 48 | golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= 49 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 50 | golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 51 | golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= 52 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 53 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 54 | golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 55 | golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 56 | golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= 57 | golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= 58 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 59 | golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 60 | golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 61 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 62 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 63 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 64 | golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= 65 | golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= 66 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 67 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 68 | golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= 69 | golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= 70 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 71 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 72 | golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= 73 | golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= 74 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 75 | golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 76 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 77 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 78 | google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4= 79 | google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I= 80 | google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA= 81 | google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM= 82 | google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM= 83 | google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= 84 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 85 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= 86 | gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= 87 | gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= 88 | gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 89 | -------------------------------------------------------------------------------- /pkg/apis/runtime/v1/api.proto: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2020 The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // To regenerate api.pb.go run `hack/update-codegen.sh protobindings` 18 | syntax = "proto3"; 19 | 20 | package runtime.v1; 21 | option go_package = "k8s.io/cri-api/pkg/apis/runtime/v1"; 22 | 23 | import "github.com/gogo/protobuf/gogoproto/gogo.proto"; 24 | 25 | option (gogoproto.goproto_stringer_all) = false; 26 | option (gogoproto.stringer_all) = true; 27 | option (gogoproto.goproto_getters_all) = true; 28 | option (gogoproto.marshaler_all) = true; 29 | option (gogoproto.sizer_all) = true; 30 | option (gogoproto.unmarshaler_all) = true; 31 | option (gogoproto.goproto_unrecognized_all) = false; 32 | 33 | // Runtime service defines the public APIs for remote container runtimes 34 | service RuntimeService { 35 | // Version returns the runtime name, runtime version, and runtime API version. 36 | rpc Version(VersionRequest) returns (VersionResponse) {} 37 | 38 | // RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure 39 | // the sandbox is in the ready state on success. 40 | rpc RunPodSandbox(RunPodSandboxRequest) returns (RunPodSandboxResponse) {} 41 | // StopPodSandbox stops any running process that is part of the sandbox and 42 | // reclaims network resources (e.g., IP addresses) allocated to the sandbox. 43 | // If there are any running containers in the sandbox, they must be forcibly 44 | // terminated. 45 | // This call is idempotent, and must not return an error if all relevant 46 | // resources have already been reclaimed. kubelet will call StopPodSandbox 47 | // at least once before calling RemovePodSandbox. It will also attempt to 48 | // reclaim resources eagerly, as soon as a sandbox is not needed. Hence, 49 | // multiple StopPodSandbox calls are expected. 50 | rpc StopPodSandbox(StopPodSandboxRequest) returns (StopPodSandboxResponse) {} 51 | // RemovePodSandbox removes the sandbox. If there are any running containers 52 | // in the sandbox, they must be forcibly terminated and removed. 53 | // This call is idempotent, and must not return an error if the sandbox has 54 | // already been removed. 55 | rpc RemovePodSandbox(RemovePodSandboxRequest) returns (RemovePodSandboxResponse) {} 56 | // PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not 57 | // present, returns an error. 58 | rpc PodSandboxStatus(PodSandboxStatusRequest) returns (PodSandboxStatusResponse) {} 59 | // ListPodSandbox returns a list of PodSandboxes. 60 | rpc ListPodSandbox(ListPodSandboxRequest) returns (ListPodSandboxResponse) {} 61 | 62 | // CreateContainer creates a new container in specified PodSandbox 63 | rpc CreateContainer(CreateContainerRequest) returns (CreateContainerResponse) {} 64 | // StartContainer starts the container. 65 | rpc StartContainer(StartContainerRequest) returns (StartContainerResponse) {} 66 | // StopContainer stops a running container with a grace period (i.e., timeout). 67 | // This call is idempotent, and must not return an error if the container has 68 | // already been stopped. 69 | // The runtime must forcibly kill the container after the grace period is 70 | // reached. 71 | rpc StopContainer(StopContainerRequest) returns (StopContainerResponse) {} 72 | // RemoveContainer removes the container. If the container is running, the 73 | // container must be forcibly removed. 74 | // This call is idempotent, and must not return an error if the container has 75 | // already been removed. 76 | rpc RemoveContainer(RemoveContainerRequest) returns (RemoveContainerResponse) {} 77 | // ListContainers lists all containers by filters. 78 | rpc ListContainers(ListContainersRequest) returns (ListContainersResponse) {} 79 | // ContainerStatus returns status of the container. If the container is not 80 | // present, returns an error. 81 | rpc ContainerStatus(ContainerStatusRequest) returns (ContainerStatusResponse) {} 82 | // UpdateContainerResources updates ContainerConfig of the container synchronously. 83 | // If runtime fails to transactionally update the requested resources, an error is returned. 84 | rpc UpdateContainerResources(UpdateContainerResourcesRequest) returns (UpdateContainerResourcesResponse) {} 85 | // ReopenContainerLog asks runtime to reopen the stdout/stderr log file 86 | // for the container. This is often called after the log file has been 87 | // rotated. If the container is not running, container runtime can choose 88 | // to either create a new log file and return nil, or return an error. 89 | // Once it returns error, new container log file MUST NOT be created. 90 | rpc ReopenContainerLog(ReopenContainerLogRequest) returns (ReopenContainerLogResponse) {} 91 | 92 | // ExecSync runs a command in a container synchronously. 93 | rpc ExecSync(ExecSyncRequest) returns (ExecSyncResponse) {} 94 | // Exec prepares a streaming endpoint to execute a command in the container. 95 | rpc Exec(ExecRequest) returns (ExecResponse) {} 96 | // Attach prepares a streaming endpoint to attach to a running container. 97 | rpc Attach(AttachRequest) returns (AttachResponse) {} 98 | // PortForward prepares a streaming endpoint to forward ports from a PodSandbox. 99 | rpc PortForward(PortForwardRequest) returns (PortForwardResponse) {} 100 | 101 | // ContainerStats returns stats of the container. If the container does not 102 | // exist, the call returns an error. 103 | rpc ContainerStats(ContainerStatsRequest) returns (ContainerStatsResponse) {} 104 | // ListContainerStats returns stats of all running containers. 105 | rpc ListContainerStats(ListContainerStatsRequest) returns (ListContainerStatsResponse) {} 106 | 107 | // PodSandboxStats returns stats of the pod sandbox. If the pod sandbox does not 108 | // exist, the call returns an error. 109 | rpc PodSandboxStats(PodSandboxStatsRequest) returns (PodSandboxStatsResponse) {} 110 | // ListPodSandboxStats returns stats of the pod sandboxes matching a filter. 111 | rpc ListPodSandboxStats(ListPodSandboxStatsRequest) returns (ListPodSandboxStatsResponse) {} 112 | 113 | // UpdateRuntimeConfig updates the runtime configuration based on the given request. 114 | rpc UpdateRuntimeConfig(UpdateRuntimeConfigRequest) returns (UpdateRuntimeConfigResponse) {} 115 | 116 | // Status returns the status of the runtime. 117 | rpc Status(StatusRequest) returns (StatusResponse) {} 118 | 119 | // CheckpointContainer checkpoints a container 120 | rpc CheckpointContainer(CheckpointContainerRequest) returns (CheckpointContainerResponse) {} 121 | 122 | // GetContainerEvents gets container events from the CRI runtime 123 | rpc GetContainerEvents(GetEventsRequest) returns (stream ContainerEventResponse) {} 124 | 125 | // ListMetricDescriptors gets the descriptors for the metrics that will be returned in ListPodSandboxMetrics. 126 | // This list should be static at startup: either the client and server restart together when 127 | // adding or removing metrics descriptors, or they should not change. 128 | // Put differently, if ListPodSandboxMetrics references a name that is not described in the initial 129 | // ListMetricDescriptors call, then the metric will not be broadcasted. 130 | rpc ListMetricDescriptors(ListMetricDescriptorsRequest) returns (ListMetricDescriptorsResponse) {} 131 | 132 | // ListPodSandboxMetrics gets pod sandbox metrics from CRI Runtime 133 | rpc ListPodSandboxMetrics(ListPodSandboxMetricsRequest) returns (ListPodSandboxMetricsResponse) {} 134 | 135 | // RuntimeConfig returns configuration information of the runtime. 136 | // A couple of notes: 137 | // - The RuntimeConfigRequest object is not to be confused with the contents of UpdateRuntimeConfigRequest. 138 | // The former is for having runtime tell Kubelet what to do, the latter vice versa. 139 | // - It is the expectation of the Kubelet that these fields are static for the lifecycle of the Kubelet. 140 | // The Kubelet will not re-request the RuntimeConfiguration after startup, and CRI implementations should 141 | // avoid updating them without a full node reboot. 142 | rpc RuntimeConfig(RuntimeConfigRequest) returns (RuntimeConfigResponse) {} 143 | 144 | // UpdatePodSandboxResources synchronously updates the PodSandboxConfig with 145 | // the pod-level resource configuration. This method is called _after_ the 146 | // Kubelet reconfigures the pod-level cgroups. 147 | // This request is treated as best effort, and failure will not block the 148 | // Kubelet with proceeding with a resize. 149 | rpc UpdatePodSandboxResources(UpdatePodSandboxResourcesRequest) returns (UpdatePodSandboxResourcesResponse) {} 150 | } 151 | 152 | // ImageService defines the public APIs for managing images. 153 | service ImageService { 154 | // ListImages lists existing images. 155 | rpc ListImages(ListImagesRequest) returns (ListImagesResponse) {} 156 | // ImageStatus returns the status of the image. If the image is not 157 | // present, returns a response with ImageStatusResponse.Image set to 158 | // nil. 159 | rpc ImageStatus(ImageStatusRequest) returns (ImageStatusResponse) {} 160 | // PullImage pulls an image with authentication config. 161 | rpc PullImage(PullImageRequest) returns (PullImageResponse) {} 162 | // RemoveImage removes the image. 163 | // This call is idempotent, and must not return an error if the image has 164 | // already been removed. 165 | rpc RemoveImage(RemoveImageRequest) returns (RemoveImageResponse) {} 166 | // ImageFSInfo returns information of the filesystem that is used to store images. 167 | rpc ImageFsInfo(ImageFsInfoRequest) returns (ImageFsInfoResponse) {} 168 | } 169 | 170 | message VersionRequest { 171 | // Version of the kubelet runtime API. 172 | string version = 1; 173 | } 174 | 175 | message VersionResponse { 176 | // Version of the kubelet runtime API. 177 | string version = 1; 178 | // Name of the container runtime. 179 | string runtime_name = 2; 180 | // Version of the container runtime. The string must be 181 | // semver-compatible. 182 | string runtime_version = 3; 183 | // API version of the container runtime. The string must be 184 | // semver-compatible. 185 | string runtime_api_version = 4; 186 | } 187 | 188 | // DNSConfig specifies the DNS servers and search domains of a sandbox. 189 | message DNSConfig { 190 | // List of DNS servers of the cluster. 191 | repeated string servers = 1; 192 | // List of DNS search domains of the cluster. 193 | repeated string searches = 2; 194 | // List of DNS options. See https://linux.die.net/man/5/resolv.conf 195 | // for all available options. 196 | repeated string options = 3; 197 | } 198 | 199 | enum Protocol { 200 | TCP = 0; 201 | UDP = 1; 202 | SCTP = 2; 203 | } 204 | 205 | // PortMapping specifies the port mapping configurations of a sandbox. 206 | message PortMapping { 207 | // Protocol of the port mapping. 208 | Protocol protocol = 1; 209 | // Port number within the container. Default: 0 (not specified). 210 | int32 container_port = 2; 211 | // Port number on the host to map the container port to. 212 | // 213 | // * Valid host port range is 1-65535. 214 | // * The value 0 has explicit semantic meaning: it indicates NO host port should be allocated. 215 | // * The value 0 does NOT indicate dynamic port allocation. Future implementations 216 | // of dynamic allocation will use different values/semantics. 217 | // * Implementations MUST handle the case where this field is explicitly set to 0, 218 | // This field SHOULD be omitted when no port is required. 219 | // 220 | // Default: If omitted, container port will not be exposed on the host. 221 | int32 host_port = 3; 222 | // Host IP. 223 | string host_ip = 4; 224 | } 225 | 226 | enum MountPropagation { 227 | // No mount propagation ("rprivate" in Linux terminology). 228 | PROPAGATION_PRIVATE = 0; 229 | // Mounts get propagated from the host to the container ("rslave" in Linux). 230 | PROPAGATION_HOST_TO_CONTAINER = 1; 231 | // Mounts get propagated from the host to the container and from the 232 | // container to the host ("rshared" in Linux). 233 | PROPAGATION_BIDIRECTIONAL = 2; 234 | } 235 | 236 | // Mount specifies a host volume to mount into a container. 237 | message Mount { 238 | // Path of the mount within the container. 239 | string container_path = 1; 240 | // Path of the mount on the host. Has to be empty if the image field below 241 | // is provided, because those fields are mutually exclusive. If the image 242 | // field below is nil and the host path doesn't exist, then runtimes should 243 | // report an error. If the hostpath is a symbolic link, runtimes should 244 | // follow the symlink and mount the real destination to container. 245 | string host_path = 2; 246 | // If set, the mount is read-only. 247 | bool readonly = 3; 248 | // If set, the mount needs SELinux relabeling. 249 | bool selinux_relabel = 4; 250 | // Requested propagation mode. 251 | MountPropagation propagation = 5; 252 | // UidMappings specifies the runtime UID mappings for the mount. 253 | repeated IDMapping uidMappings = 6; 254 | // GidMappings specifies the runtime GID mappings for the mount. 255 | repeated IDMapping gidMappings = 7; 256 | // If set to true, the mount is made recursive read-only. 257 | // In this CRI API, recursive_read_only is a plain true/false boolean, although its equivalent 258 | // in the Kubernetes core API is a quaternary that can be nil, "Enabled", "IfPossible", or "Disabled". 259 | // kubelet translates that quaternary value in the core API into a boolean in this CRI API. 260 | // Remarks: 261 | // - nil is just treated as false 262 | // - when set to true, readonly must be explicitly set to true, and propagation must be PRIVATE (0). 263 | // - (readonly == false && recursive_read_only == false) does not make the mount read-only. 264 | bool recursive_read_only = 8; 265 | // Mount an image reference (image ID, with or without digest), which is a 266 | // special use case for image volume mounts. If this field is set, then 267 | // host_path should be unset. All image mounts are per feature definition 268 | // readonly (noexec). The kubelet does an PullImage RPC and evaluates the returned 269 | // PullImageResponse.image_ref value, which is then set to the 270 | // ImageSpec.image field. Runtimes are expected to mount the image as 271 | // required. 272 | // Introduced in the Image Volume Source KEP: https://kep.k8s.io/4639 273 | ImageSpec image = 9; 274 | // Specific image sub path to be used from inside the image instead of its 275 | // root, only necessary if the above image field is set. If the sub path is 276 | // not empty and does not exist in the image, then runtimes should fail and 277 | // return an error. 278 | // Introduced in the Image Volume Source KEP beta graduation: https://kep.k8s.io/4639 279 | string image_sub_path = 10; 280 | } 281 | 282 | // IDMapping describes host to container ID mappings for a pod sandbox. 283 | message IDMapping { 284 | // HostId is the id on the host. 285 | uint32 host_id = 1; 286 | // ContainerId is the id in the container. 287 | uint32 container_id = 2; 288 | // Length is the size of the range to map. 289 | uint32 length = 3; 290 | } 291 | 292 | // A NamespaceMode describes the intended namespace configuration for each 293 | // of the namespaces (Network, PID, IPC) in NamespaceOption. Runtimes should 294 | // map these modes as appropriate for the technology underlying the runtime. 295 | enum NamespaceMode { 296 | // A POD namespace is common to all containers in a pod. 297 | // For example, a container with a PID namespace of POD expects to view 298 | // all of the processes in all of the containers in the pod. 299 | POD = 0; 300 | // A CONTAINER namespace is restricted to a single container. 301 | // For example, a container with a PID namespace of CONTAINER expects to 302 | // view only the processes in that container. 303 | CONTAINER = 1; 304 | // A NODE namespace is the namespace of the Kubernetes node. 305 | // For example, a container with a PID namespace of NODE expects to view 306 | // all of the processes on the host running the kubelet. 307 | NODE = 2; 308 | // TARGET targets the namespace of another container. When this is specified, 309 | // a target_id must be specified in NamespaceOption and refer to a container 310 | // previously created with NamespaceMode CONTAINER. This containers namespace 311 | // will be made to match that of container target_id. 312 | // For example, a container with a PID namespace of TARGET expects to view 313 | // all of the processes that container target_id can view. 314 | TARGET = 3; 315 | } 316 | 317 | // UserNamespace describes the intended user namespace configuration for a pod sandbox. 318 | message UserNamespace { 319 | // Mode is the NamespaceMode for this UserNamespace. 320 | // Note: NamespaceMode for UserNamespace currently supports only POD and NODE, not CONTAINER OR TARGET. 321 | NamespaceMode mode = 1; 322 | 323 | // Uids specifies the UID mappings for the user namespace. 324 | repeated IDMapping uids = 2; 325 | 326 | // Gids specifies the GID mappings for the user namespace. 327 | repeated IDMapping gids = 3; 328 | } 329 | 330 | // NamespaceOption provides options for Linux namespaces. 331 | message NamespaceOption { 332 | // Network namespace for this container/sandbox. 333 | // Note: There is currently no way to set CONTAINER scoped network in the Kubernetes API. 334 | // Namespaces currently set by the kubelet: POD, NODE 335 | NamespaceMode network = 1; 336 | // PID namespace for this container/sandbox. 337 | // Note: The CRI default is POD, but the v1.PodSpec default is CONTAINER. 338 | // The kubelet's runtime manager will set this to CONTAINER explicitly for v1 pods. 339 | // Namespaces currently set by the kubelet: POD, CONTAINER, NODE, TARGET 340 | NamespaceMode pid = 2; 341 | // IPC namespace for this container/sandbox. 342 | // Note: There is currently no way to set CONTAINER scoped IPC in the Kubernetes API. 343 | // Namespaces currently set by the kubelet: POD, NODE 344 | NamespaceMode ipc = 3; 345 | // Target Container ID for NamespaceMode of TARGET. This container must have been 346 | // previously created in the same pod. It is not possible to specify different targets 347 | // for each namespace. 348 | string target_id = 4; 349 | // UsernsOptions for this pod sandbox. 350 | // The Kubelet picks the user namespace configuration to use for the pod sandbox. The mappings 351 | // are specified as part of the UserNamespace struct. If the struct is nil, then the POD mode 352 | // must be assumed. This is done for backward compatibility with older Kubelet versions that 353 | // do not set a user namespace. 354 | UserNamespace userns_options = 5; 355 | } 356 | 357 | // SupplementalGroupsPolicy defines how supplemental groups 358 | // of the first container processes are calculated. 359 | enum SupplementalGroupsPolicy { 360 | // Merge means that the container's provided SupplementalGroups 361 | // and FsGroup (specified in SecurityContext) will be merged with 362 | // the primary user's groups as defined in the container image 363 | // (in /etc/group). 364 | Merge = 0; 365 | // Strict means that the container's provided SupplementalGroups 366 | // and FsGroup (specified in SecurityContext) will be used instead of 367 | // any groups defined in the container image. 368 | Strict = 1; 369 | } 370 | 371 | // Int64Value is the wrapper of int64. 372 | message Int64Value { 373 | // The value. 374 | int64 value = 1; 375 | } 376 | 377 | // LinuxSandboxSecurityContext holds linux security configuration that will be 378 | // applied to a sandbox. Note that: 379 | // 1) It does not apply to containers in the pods. 380 | // 2) It may not be applicable to a PodSandbox which does not contain any running 381 | // process. 382 | message LinuxSandboxSecurityContext { 383 | // Configurations for the sandbox's namespaces. 384 | // This will be used only if the PodSandbox uses namespace for isolation. 385 | NamespaceOption namespace_options = 1; 386 | // Optional SELinux context to be applied. 387 | SELinuxOption selinux_options = 2; 388 | // UID to run sandbox processes as, when applicable. 389 | Int64Value run_as_user = 3; 390 | // GID to run sandbox processes as, when applicable. run_as_group should only 391 | // be specified when run_as_user is specified; otherwise, the runtime MUST error. 392 | Int64Value run_as_group = 8; 393 | // If set, the root filesystem of the sandbox is read-only. 394 | bool readonly_rootfs = 4; 395 | // List of groups applied to the first process run in each container. 396 | // supplemental_groups_policy can control how groups will be calculated. 397 | repeated int64 supplemental_groups = 5; 398 | // supplemental_groups_policy defines how supplemental groups of the first 399 | // container processes are calculated. 400 | // Valid values are "Merge" and "Strict". 401 | // If not specified, "Merge" is used. 402 | SupplementalGroupsPolicy supplemental_groups_policy = 11; 403 | // Indicates whether the sandbox will be asked to run a privileged 404 | // container. If a privileged container is to be executed within it, this 405 | // MUST be true. 406 | // This allows a sandbox to take additional security precautions if no 407 | // privileged containers are expected to be run. 408 | bool privileged = 6; 409 | // Seccomp profile for the sandbox. 410 | SecurityProfile seccomp = 9; 411 | // AppArmor profile for the sandbox. 412 | SecurityProfile apparmor = 10; 413 | // Seccomp profile for the sandbox, candidate values are: 414 | // * runtime/default: the default profile for the container runtime 415 | // * unconfined: unconfined profile, ie, no seccomp sandboxing 416 | // * localhost/: the profile installed on the node. 417 | // is the full path of the profile. 418 | // Default: "", which is identical with unconfined. 419 | string seccomp_profile_path = 7 [deprecated=true]; 420 | } 421 | 422 | // A security profile which can be used for sandboxes and containers. 423 | message SecurityProfile { 424 | // Available profile types. 425 | enum ProfileType { 426 | // The container runtime default profile should be used. 427 | RuntimeDefault = 0; 428 | // Disable the feature for the sandbox or the container. 429 | Unconfined = 1; 430 | // A pre-defined profile on the node should be used. 431 | Localhost = 2; 432 | } 433 | // Indicator which `ProfileType` should be applied. 434 | ProfileType profile_type = 1; 435 | // Indicates that a pre-defined profile on the node should be used. 436 | // Must only be set if `ProfileType` is `Localhost`. 437 | // For seccomp, it must be an absolute path to the seccomp profile. 438 | // For AppArmor, this field is the AppArmor `/` 439 | string localhost_ref = 2; 440 | } 441 | 442 | // LinuxPodSandboxConfig holds platform-specific configurations for Linux 443 | // host platforms and Linux-based containers. 444 | message LinuxPodSandboxConfig { 445 | // Parent cgroup of the PodSandbox. 446 | // The cgroupfs style syntax will be used, but the container runtime can 447 | // convert it to systemd semantics if needed. 448 | string cgroup_parent = 1; 449 | // LinuxSandboxSecurityContext holds sandbox security attributes. 450 | LinuxSandboxSecurityContext security_context = 2; 451 | // Sysctls holds linux sysctls config for the sandbox. 452 | map sysctls = 3; 453 | // Optional overhead represents the overheads associated with this sandbox 454 | LinuxContainerResources overhead = 4; 455 | // Optional resources represents the sum of container resources for this sandbox 456 | LinuxContainerResources resources = 5; 457 | } 458 | 459 | // PodSandboxMetadata holds all necessary information for building the sandbox name. 460 | // The container runtime is encouraged to expose the metadata associated with the 461 | // PodSandbox in its user interface for better user experience. For example, 462 | // the runtime can construct a unique PodSandboxName based on the metadata. 463 | message PodSandboxMetadata { 464 | // Pod name of the sandbox. Same as the pod name in the Pod ObjectMeta. 465 | string name = 1; 466 | // Pod UID of the sandbox. Same as the pod UID in the Pod ObjectMeta. 467 | string uid = 2; 468 | // Pod namespace of the sandbox. Same as the pod namespace in the Pod ObjectMeta. 469 | string namespace = 3; 470 | // Attempt number of creating the sandbox. Default: 0. 471 | uint32 attempt = 4; 472 | } 473 | 474 | // PodSandboxConfig holds all the required and optional fields for creating a 475 | // sandbox. 476 | message PodSandboxConfig { 477 | // Metadata of the sandbox. This information will uniquely identify the 478 | // sandbox, and the runtime should leverage this to ensure correct 479 | // operation. The runtime may also use this information to improve UX, such 480 | // as by constructing a readable name. 481 | PodSandboxMetadata metadata = 1; 482 | // Hostname of the sandbox. Hostname could only be empty when the pod 483 | // network namespace is NODE. 484 | string hostname = 2; 485 | // Path to the directory on the host in which container log files are 486 | // stored. 487 | // By default the log of a container going into the LogDirectory will be 488 | // hooked up to STDOUT and STDERR. However, the LogDirectory may contain 489 | // binary log files with structured logging data from the individual 490 | // containers. For example, the files might be newline separated JSON 491 | // structured logs, systemd-journald journal files, gRPC trace files, etc. 492 | // E.g., 493 | // PodSandboxConfig.LogDirectory = `/var/log/pods/__/` 494 | // ContainerConfig.LogPath = `containerName/Instance#.log` 495 | string log_directory = 3; 496 | // DNS config for the sandbox. 497 | DNSConfig dns_config = 4; 498 | // Port mappings for the sandbox. 499 | repeated PortMapping port_mappings = 5; 500 | // Key-value pairs that may be used to scope and select individual resources. 501 | map labels = 6; 502 | // Unstructured key-value map that may be set by the kubelet to store and 503 | // retrieve arbitrary metadata. This will include any annotations set on a 504 | // pod through the Kubernetes API. 505 | // 506 | // Annotations MUST NOT be altered by the runtime; the annotations stored 507 | // here MUST be returned in the PodSandboxStatus associated with the pod 508 | // this PodSandboxConfig creates. 509 | // 510 | // In general, in order to preserve a well-defined interface between the 511 | // kubelet and the container runtime, annotations SHOULD NOT influence 512 | // runtime behaviour. 513 | // 514 | // Annotations can also be useful for runtime authors to experiment with 515 | // new features that are opaque to the Kubernetes APIs (both user-facing 516 | // and the CRI). Whenever possible, however, runtime authors SHOULD 517 | // consider proposing new typed fields for any new features instead. 518 | map annotations = 7; 519 | // Optional configurations specific to Linux hosts. 520 | LinuxPodSandboxConfig linux = 8; 521 | // Optional configurations specific to Windows hosts. 522 | WindowsPodSandboxConfig windows = 9; 523 | } 524 | 525 | message RunPodSandboxRequest { 526 | // Configuration for creating a PodSandbox. 527 | PodSandboxConfig config = 1; 528 | // Named runtime configuration to use for this PodSandbox. 529 | // If the runtime handler is unknown, this request should be rejected. An 530 | // empty string should select the default handler, equivalent to the 531 | // behavior before this feature was added. 532 | // See https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class 533 | string runtime_handler = 2; 534 | } 535 | 536 | message RunPodSandboxResponse { 537 | // ID of the PodSandbox to run. 538 | string pod_sandbox_id = 1; 539 | } 540 | 541 | message StopPodSandboxRequest { 542 | // ID of the PodSandbox to stop. 543 | string pod_sandbox_id = 1; 544 | } 545 | 546 | message StopPodSandboxResponse {} 547 | 548 | message RemovePodSandboxRequest { 549 | // ID of the PodSandbox to remove. 550 | string pod_sandbox_id = 1; 551 | } 552 | 553 | message RemovePodSandboxResponse {} 554 | 555 | message PodSandboxStatusRequest { 556 | // ID of the PodSandbox for which to retrieve status. 557 | string pod_sandbox_id = 1; 558 | // Verbose indicates whether to return extra information about the pod sandbox. 559 | bool verbose = 2; 560 | } 561 | 562 | // PodIP represents an ip of a Pod 563 | message PodIP{ 564 | // an ip is a string representation of an IPv4 or an IPv6 565 | string ip = 1; 566 | } 567 | // PodSandboxNetworkStatus is the status of the network for a PodSandbox. 568 | // Currently ignored for pods sharing the host networking namespace. 569 | message PodSandboxNetworkStatus { 570 | // IP address of the PodSandbox. 571 | string ip = 1; 572 | // list of additional ips (not inclusive of PodSandboxNetworkStatus.Ip) of the PodSandBoxNetworkStatus 573 | repeated PodIP additional_ips = 2; 574 | } 575 | 576 | // Namespace contains paths to the namespaces. 577 | message Namespace { 578 | // Namespace options for Linux namespaces. 579 | NamespaceOption options = 2; 580 | } 581 | 582 | // LinuxSandboxStatus contains status specific to Linux sandboxes. 583 | message LinuxPodSandboxStatus { 584 | // Paths to the sandbox's namespaces. 585 | Namespace namespaces = 1; 586 | } 587 | 588 | enum PodSandboxState { 589 | SANDBOX_READY = 0; 590 | SANDBOX_NOTREADY = 1; 591 | } 592 | 593 | // PodSandboxStatus contains the status of the PodSandbox. 594 | message PodSandboxStatus { 595 | // ID of the sandbox. 596 | string id = 1; 597 | // Metadata of the sandbox. 598 | PodSandboxMetadata metadata = 2; 599 | // State of the sandbox. 600 | PodSandboxState state = 3; 601 | // Creation timestamp of the sandbox in nanoseconds. Must be > 0. 602 | int64 created_at = 4; 603 | // Network contains network status if network is handled by the runtime. 604 | PodSandboxNetworkStatus network = 5; 605 | // Linux-specific status to a pod sandbox. 606 | LinuxPodSandboxStatus linux = 6; 607 | // Labels are key-value pairs that may be used to scope and select individual resources. 608 | map labels = 7; 609 | // Unstructured key-value map holding arbitrary metadata. 610 | // Annotations MUST NOT be altered by the runtime; the value of this field 611 | // MUST be identical to that of the corresponding PodSandboxConfig used to 612 | // instantiate the pod sandbox this status represents. 613 | map annotations = 8; 614 | // runtime configuration used for this PodSandbox. 615 | string runtime_handler = 9; 616 | } 617 | 618 | message PodSandboxStatusResponse { 619 | // Status of the PodSandbox. 620 | PodSandboxStatus status = 1; 621 | // Info is extra information of the PodSandbox. The key could be arbitrary string, and 622 | // value should be in json format. The information could include anything useful for 623 | // debug, e.g. network namespace for linux container based container runtime. 624 | // It should only be returned non-empty when Verbose is true. 625 | map info = 2; 626 | // Container statuses 627 | repeated ContainerStatus containers_statuses = 3; 628 | // Timestamp in nanoseconds at which container and pod statuses were recorded 629 | int64 timestamp = 4; 630 | } 631 | 632 | // PodSandboxStateValue is the wrapper of PodSandboxState. 633 | message PodSandboxStateValue { 634 | // State of the sandbox. 635 | PodSandboxState state = 1; 636 | } 637 | 638 | // PodSandboxFilter is used to filter a list of PodSandboxes. 639 | // All those fields are combined with 'AND' 640 | message PodSandboxFilter { 641 | // ID of the sandbox. 642 | string id = 1; 643 | // State of the sandbox. 644 | PodSandboxStateValue state = 2; 645 | // LabelSelector to select matches. 646 | // Only api.MatchLabels is supported for now and the requirements 647 | // are ANDed. MatchExpressions is not supported yet. 648 | map label_selector = 3; 649 | } 650 | 651 | message ListPodSandboxRequest { 652 | // PodSandboxFilter to filter a list of PodSandboxes. 653 | PodSandboxFilter filter = 1; 654 | } 655 | 656 | 657 | // PodSandbox contains minimal information about a sandbox. 658 | message PodSandbox { 659 | // ID of the PodSandbox. 660 | string id = 1; 661 | // Metadata of the PodSandbox. 662 | PodSandboxMetadata metadata = 2; 663 | // State of the PodSandbox. 664 | PodSandboxState state = 3; 665 | // Creation timestamps of the PodSandbox in nanoseconds. Must be > 0. 666 | int64 created_at = 4; 667 | // Labels of the PodSandbox. 668 | map labels = 5; 669 | // Unstructured key-value map holding arbitrary metadata. 670 | // Annotations MUST NOT be altered by the runtime; the value of this field 671 | // MUST be identical to that of the corresponding PodSandboxConfig used to 672 | // instantiate this PodSandbox. 673 | map annotations = 6; 674 | // runtime configuration used for this PodSandbox. 675 | string runtime_handler = 7; 676 | } 677 | 678 | message ListPodSandboxResponse { 679 | // List of PodSandboxes. 680 | repeated PodSandbox items = 1; 681 | } 682 | 683 | message PodSandboxStatsRequest { 684 | // ID of the pod sandbox for which to retrieve stats. 685 | string pod_sandbox_id = 1; 686 | } 687 | 688 | message PodSandboxStatsResponse { 689 | PodSandboxStats stats = 1; 690 | } 691 | 692 | // PodSandboxStatsFilter is used to filter the list of pod sandboxes to retrieve stats for. 693 | // All those fields are combined with 'AND'. 694 | message PodSandboxStatsFilter { 695 | // ID of the pod sandbox. 696 | string id = 1; 697 | // LabelSelector to select matches. 698 | // Only api.MatchLabels is supported for now and the requirements 699 | // are ANDed. MatchExpressions is not supported yet. 700 | map label_selector = 2; 701 | } 702 | 703 | message ListPodSandboxStatsRequest { 704 | // Filter for the list request. 705 | PodSandboxStatsFilter filter = 1; 706 | } 707 | 708 | message ListPodSandboxStatsResponse { 709 | // Stats of the pod sandbox. 710 | repeated PodSandboxStats stats = 1; 711 | } 712 | 713 | // PodSandboxAttributes provides basic information of the pod sandbox. 714 | message PodSandboxAttributes { 715 | // ID of the pod sandbox. 716 | string id = 1; 717 | // Metadata of the pod sandbox. 718 | PodSandboxMetadata metadata = 2; 719 | // Key-value pairs that may be used to scope and select individual resources. 720 | map labels = 3; 721 | // Unstructured key-value map holding arbitrary metadata. 722 | // Annotations MUST NOT be altered by the runtime; the value of this field 723 | // MUST be identical to that of the corresponding PodSandboxStatus used to 724 | // instantiate the PodSandbox this status represents. 725 | map annotations = 4; 726 | } 727 | 728 | // PodSandboxStats provides the resource usage statistics for a pod. 729 | // The linux or windows field will be populated depending on the platform. 730 | message PodSandboxStats { 731 | // Information of the pod. 732 | PodSandboxAttributes attributes = 1; 733 | // Stats from linux. 734 | LinuxPodSandboxStats linux = 2; 735 | // Stats from windows. 736 | WindowsPodSandboxStats windows = 3; 737 | } 738 | 739 | // LinuxPodSandboxStats provides the resource usage statistics for a pod sandbox on linux. 740 | message LinuxPodSandboxStats { 741 | // CPU usage gathered for the pod sandbox. 742 | CpuUsage cpu = 1; 743 | // Memory usage gathered for the pod sandbox. 744 | MemoryUsage memory = 2; 745 | // Network usage gathered for the pod sandbox 746 | NetworkUsage network = 3; 747 | // Stats pertaining to processes in the pod sandbox. 748 | ProcessUsage process = 4; 749 | // Stats of containers in the measured pod sandbox. 750 | repeated ContainerStats containers = 5; 751 | // IO usage gathered for the pod sandbox. 752 | IoUsage io = 6; 753 | } 754 | 755 | // WindowsPodSandboxStats provides the resource usage statistics for a pod sandbox on windows 756 | message WindowsPodSandboxStats { 757 | // CPU usage gathered for the pod sandbox. 758 | WindowsCpuUsage cpu = 1; 759 | // Memory usage gathered for the pod sandbox. 760 | WindowsMemoryUsage memory = 2; 761 | // Network usage gathered for the pod sandbox 762 | WindowsNetworkUsage network = 3; 763 | // Stats pertaining to processes in the pod sandbox. 764 | WindowsProcessUsage process = 4; 765 | // Stats of containers in the measured pod sandbox. 766 | repeated WindowsContainerStats containers = 5; 767 | } 768 | 769 | // NetworkUsage contains data about network resources. 770 | message NetworkUsage { 771 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. 772 | int64 timestamp = 1; 773 | // Stats for the default network interface. 774 | NetworkInterfaceUsage default_interface = 2; 775 | // Stats for all found network interfaces, excluding the default. 776 | repeated NetworkInterfaceUsage interfaces = 3; 777 | } 778 | 779 | // WindowsNetworkUsage contains data about network resources specific to Windows. 780 | message WindowsNetworkUsage { 781 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. 782 | int64 timestamp = 1; 783 | // Stats for the default network interface. 784 | WindowsNetworkInterfaceUsage default_interface = 2; 785 | // Stats for all found network interfaces, excluding the default. 786 | repeated WindowsNetworkInterfaceUsage interfaces = 3; 787 | } 788 | 789 | // NetworkInterfaceUsage contains resource value data about a network interface. 790 | message NetworkInterfaceUsage { 791 | // The name of the network interface. 792 | string name = 1; 793 | // Cumulative count of bytes received. 794 | UInt64Value rx_bytes = 2; 795 | // Cumulative count of receive errors encountered. 796 | UInt64Value rx_errors = 3; 797 | // Cumulative count of bytes transmitted. 798 | UInt64Value tx_bytes = 4; 799 | // Cumulative count of transmit errors encountered. 800 | UInt64Value tx_errors = 5; 801 | } 802 | 803 | // WindowsNetworkInterfaceUsage contains resource value data about a network interface specific for Windows. 804 | message WindowsNetworkInterfaceUsage { 805 | // The name of the network interface. 806 | string name = 1; 807 | // Cumulative count of bytes received. 808 | UInt64Value rx_bytes = 2; 809 | // Cumulative count of receive errors encountered. 810 | UInt64Value rx_packets_dropped = 3; 811 | // Cumulative count of bytes transmitted. 812 | UInt64Value tx_bytes = 4; 813 | // Cumulative count of transmit errors encountered. 814 | UInt64Value tx_packets_dropped = 5; 815 | } 816 | 817 | // ProcessUsage are stats pertaining to processes. 818 | message ProcessUsage { 819 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. 820 | int64 timestamp = 1; 821 | // Number of processes. 822 | UInt64Value process_count = 2; 823 | } 824 | 825 | // WindowsProcessUsage are stats pertaining to processes specific to Windows. 826 | message WindowsProcessUsage { 827 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. 828 | int64 timestamp = 1; 829 | // Number of processes. 830 | UInt64Value process_count = 2; 831 | } 832 | 833 | // ImageSpec is an internal representation of an image. 834 | message ImageSpec { 835 | // Container's Image field (e.g. imageID or imageDigest). 836 | string image = 1; 837 | // Unstructured key-value map holding arbitrary metadata. 838 | // ImageSpec Annotations can be used to help the runtime target specific 839 | // images in multi-arch images. 840 | map annotations = 2; 841 | // The container image reference specified by the user (e.g. image[:tag] or digest). 842 | // Only set if available within the RPC context. 843 | string user_specified_image = 18; 844 | // Runtime handler to use for pulling the image. 845 | // If the runtime handler is unknown, the request should be rejected. 846 | // An empty string would select the default runtime handler. 847 | string runtime_handler = 19; 848 | } 849 | 850 | message KeyValue { 851 | string key = 1; 852 | string value = 2; 853 | } 854 | 855 | // LinuxContainerResources specifies Linux specific configuration for 856 | // resources. 857 | message LinuxContainerResources { 858 | // CPU CFS (Completely Fair Scheduler) period. Default: 0 (not specified). 859 | int64 cpu_period = 1; 860 | // CPU CFS (Completely Fair Scheduler) quota. Default: 0 (not specified). 861 | int64 cpu_quota = 2; 862 | // CPU shares (relative weight vs. other containers). Default: 0 (not specified). 863 | int64 cpu_shares = 3; 864 | // Memory limit in bytes. Default: 0 (not specified). 865 | int64 memory_limit_in_bytes = 4; 866 | // OOMScoreAdj adjusts the oom-killer score. Default: 0 (not specified). 867 | int64 oom_score_adj = 5; 868 | // CpusetCpus constrains the allowed set of logical CPUs. Default: "" (not specified). 869 | string cpuset_cpus = 6; 870 | // CpusetMems constrains the allowed set of memory nodes. Default: "" (not specified). 871 | string cpuset_mems = 7; 872 | // List of HugepageLimits to limit the HugeTLB usage of container per page size. Default: nil (not specified). 873 | repeated HugepageLimit hugepage_limits = 8; 874 | // Unified resources for cgroup v2. Default: nil (not specified). 875 | // Each key/value in the map refers to the cgroup v2. 876 | // e.g. "memory.max": "6937202688" or "io.weight": "default 100". 877 | map unified = 9; 878 | // Memory swap limit in bytes. Default 0 (not specified). 879 | int64 memory_swap_limit_in_bytes = 10; 880 | } 881 | 882 | // HugepageLimit corresponds to the file`hugetlb..limit_in_byte` in container level cgroup. 883 | // For example, `PageSize=1GB`, `Limit=1073741824` means setting `1073741824` bytes to hugetlb.1GB.limit_in_bytes. 884 | message HugepageLimit { 885 | // The value of PageSize has the format B (2MB, 1GB), 886 | // and must match the of the corresponding control file found in `hugetlb..limit_in_bytes`. 887 | // The values of are intended to be parsed using base 1024("1KB" = 1024, "1MB" = 1048576, etc). 888 | string page_size = 1; 889 | // limit in bytes of hugepagesize HugeTLB usage. 890 | uint64 limit = 2; 891 | } 892 | 893 | // SELinuxOption are the labels to be applied to the container. 894 | message SELinuxOption { 895 | string user = 1; 896 | string role = 2; 897 | string type = 3; 898 | string level = 4; 899 | } 900 | 901 | // Capability contains the container capabilities to add or drop 902 | // Dropping a capability will drop it from all sets. 903 | // If a capability is added to only the add_capabilities list then it gets added to permitted, 904 | // inheritable, effective and bounding sets, i.e. all sets except the ambient set. 905 | // If a capability is added to only the add_ambient_capabilities list then it gets added to all sets, i.e permitted 906 | // inheritable, effective, bounding and ambient sets. 907 | // If a capability is added to add_capabilities and add_ambient_capabilities lists then it gets added to all sets, i.e. 908 | // permitted, inheritable, effective, bounding and ambient sets. 909 | message Capability { 910 | // List of capabilities to add. 911 | repeated string add_capabilities = 1; 912 | // List of capabilities to drop. 913 | repeated string drop_capabilities = 2; 914 | // List of ambient capabilities to add. 915 | repeated string add_ambient_capabilities = 3; 916 | } 917 | 918 | // LinuxContainerSecurityContext holds linux security configuration that will be applied to a container. 919 | message LinuxContainerSecurityContext { 920 | // Capabilities to add or drop. 921 | Capability capabilities = 1; 922 | // If set, run container in privileged mode. 923 | // Privileged mode is incompatible with the following options. If 924 | // privileged is set, the following features MAY have no effect: 925 | // 1. capabilities 926 | // 2. selinux_options 927 | // 4. seccomp 928 | // 5. apparmor 929 | // 930 | // Privileged mode implies the following specific options are applied: 931 | // 1. All capabilities are added. 932 | // 2. Sensitive paths, such as kernel module paths within sysfs, are not masked. 933 | // 3. Any sysfs and procfs mounts are mounted RW. 934 | // 4. AppArmor confinement is not applied. 935 | // 5. Seccomp restrictions are not applied. 936 | // 6. The device cgroup does not restrict access to any devices. 937 | // 7. All devices from the host's /dev are available within the container. 938 | // 8. SELinux restrictions are not applied (e.g. label=disabled). 939 | bool privileged = 2; 940 | // Configurations for the container's namespaces. 941 | // Only used if the container uses namespace for isolation. 942 | NamespaceOption namespace_options = 3; 943 | // SELinux context to be optionally applied. 944 | SELinuxOption selinux_options = 4; 945 | // UID to run the container process as. Only one of run_as_user and 946 | // run_as_username can be specified at a time. 947 | Int64Value run_as_user = 5; 948 | // GID to run the container process as. run_as_group should only be specified 949 | // when run_as_user or run_as_username is specified; otherwise, the runtime 950 | // MUST error. 951 | Int64Value run_as_group = 12; 952 | // User name to run the container process as. If specified, the user MUST 953 | // exist in the container image (i.e. in the /etc/passwd inside the image), 954 | // and be resolved there by the runtime; otherwise, the runtime MUST error. 955 | string run_as_username = 6; 956 | // If set, the root filesystem of the container is read-only. 957 | bool readonly_rootfs = 7; 958 | // List of groups applied to the first process run in each container. 959 | // supplemental_groups_policy can control how groups will be calculated. 960 | repeated int64 supplemental_groups = 8; 961 | // supplemental_groups_policy defines how supplemental groups of the first 962 | // container processes are calculated. 963 | // Valid values are "Merge" and "Strict". 964 | // If not specified, "Merge" is used. 965 | SupplementalGroupsPolicy supplemental_groups_policy = 17; 966 | // no_new_privs defines if the flag for no_new_privs should be set on the 967 | // container. 968 | bool no_new_privs = 11; 969 | // masked_paths is a slice of paths that should be masked by the container 970 | // runtime, this can be passed directly to the OCI spec. 971 | repeated string masked_paths = 13; 972 | // readonly_paths is a slice of paths that should be set as readonly by the 973 | // container runtime, this can be passed directly to the OCI spec. 974 | repeated string readonly_paths = 14; 975 | // Seccomp profile for the container. 976 | SecurityProfile seccomp = 15; 977 | // AppArmor profile for the container. 978 | SecurityProfile apparmor = 16; 979 | // AppArmor profile for the container, candidate values are: 980 | // * runtime/default: equivalent to not specifying a profile. 981 | // * unconfined: no profiles are loaded 982 | // * localhost/: profile loaded on the node 983 | // (localhost) by name. The possible profile names are detailed at 984 | // https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference 985 | string apparmor_profile = 9 [deprecated=true]; 986 | // Seccomp profile for the container, candidate values are: 987 | // * runtime/default: the default profile for the container runtime 988 | // * unconfined: unconfined profile, ie, no seccomp sandboxing 989 | // * localhost/: the profile installed on the node. 990 | // is the full path of the profile. 991 | // Default: "", which is identical with unconfined. 992 | string seccomp_profile_path = 10 [deprecated=true]; 993 | } 994 | 995 | // LinuxContainerConfig contains platform-specific configuration for 996 | // Linux-based containers. 997 | message LinuxContainerConfig { 998 | // Resources specification for the container. 999 | LinuxContainerResources resources = 1; 1000 | // LinuxContainerSecurityContext configuration for the container. 1001 | LinuxContainerSecurityContext security_context = 2; 1002 | } 1003 | 1004 | message LinuxContainerUser { 1005 | // uid is the primary uid initially attached to the first process in the container 1006 | int64 uid = 1; 1007 | // gid is the primary gid initially attached to the first process in the container 1008 | int64 gid = 2; 1009 | // supplemental_groups are the supplemental groups initially attached to the first process in the container 1010 | repeated int64 supplemental_groups = 3; 1011 | } 1012 | 1013 | // WindowsNamespaceOption provides options for Windows namespaces. 1014 | message WindowsNamespaceOption { 1015 | // Network namespace for this container/sandbox. 1016 | // This is currently never set by the kubelet 1017 | NamespaceMode network = 1; 1018 | } 1019 | 1020 | // WindowsSandboxSecurityContext holds platform-specific configurations that will be 1021 | // applied to a sandbox. 1022 | // These settings will only apply to the sandbox container. 1023 | message WindowsSandboxSecurityContext { 1024 | // User name to run the container process as. If specified, the user MUST 1025 | // exist in the container image and be resolved there by the runtime; 1026 | // otherwise, the runtime MUST return error. 1027 | string run_as_username = 1; 1028 | 1029 | // The contents of the GMSA credential spec to use to run this container. 1030 | string credential_spec = 2; 1031 | 1032 | // Indicates whether the container requested to run as a HostProcess container. 1033 | bool host_process = 3; 1034 | 1035 | // Configuration for the sandbox's namespaces 1036 | WindowsNamespaceOption namespace_options = 4; 1037 | } 1038 | 1039 | // WindowsPodSandboxConfig holds platform-specific configurations for Windows 1040 | // host platforms and Windows-based containers. 1041 | message WindowsPodSandboxConfig { 1042 | // WindowsSandboxSecurityContext holds sandbox security attributes. 1043 | WindowsSandboxSecurityContext security_context = 1; 1044 | } 1045 | 1046 | // WindowsContainerSecurityContext holds windows security configuration that will be applied to a container. 1047 | message WindowsContainerSecurityContext { 1048 | // User name to run the container process as. If specified, the user MUST 1049 | // exist in the container image and be resolved there by the runtime; 1050 | // otherwise, the runtime MUST return error. 1051 | string run_as_username = 1; 1052 | 1053 | // The contents of the GMSA credential spec to use to run this container. 1054 | string credential_spec = 2; 1055 | 1056 | // Indicates whether a container is to be run as a HostProcess container. 1057 | bool host_process = 3; 1058 | } 1059 | 1060 | // WindowsContainerConfig contains platform-specific configuration for 1061 | // Windows-based containers. 1062 | message WindowsContainerConfig { 1063 | // Resources specification for the container. 1064 | WindowsContainerResources resources = 1; 1065 | // WindowsContainerSecurityContext configuration for the container. 1066 | WindowsContainerSecurityContext security_context = 2; 1067 | } 1068 | 1069 | // WindowsContainerResources specifies Windows specific configuration for 1070 | // resources. 1071 | message WindowsContainerResources { 1072 | // CPU shares (relative weight vs. other containers). Default: 0 (not specified). 1073 | int64 cpu_shares = 1; 1074 | // Number of CPUs available to the container. Default: 0 (not specified). 1075 | int64 cpu_count = 2; 1076 | // Specifies the portion of processor cycles that this container can use as a percentage times 100. 1077 | int64 cpu_maximum = 3; 1078 | // Memory limit in bytes. Default: 0 (not specified). 1079 | int64 memory_limit_in_bytes = 4; 1080 | // Specifies the size of the rootfs / scratch space in bytes to be configured for this container. Default: 0 (not specified). 1081 | int64 rootfs_size_in_bytes = 5; 1082 | // Optionally specifies the set of CPUs to affinitize for this container. 1083 | repeated WindowsCpuGroupAffinity affinity_cpus = 6; 1084 | } 1085 | 1086 | // WindowsCpuGroupAffinity specifies the CPU mask and group to affinitize. 1087 | // This is similar to the following _GROUP_AFFINITY structure: 1088 | // https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/miniport/ns-miniport-_group_affinity 1089 | message WindowsCpuGroupAffinity { 1090 | // CPU mask relative to this CPU group. 1091 | uint64 cpu_mask = 1; 1092 | // Processor group the mask refers to, as returned by 1093 | // GetLogicalProcessorInformationEx. 1094 | uint32 cpu_group = 2; 1095 | } 1096 | 1097 | // ContainerMetadata holds all necessary information for building the container 1098 | // name. The container runtime is encouraged to expose the metadata in its user 1099 | // interface for better user experience. E.g., runtime can construct a unique 1100 | // container name based on the metadata. Note that (name, attempt) is unique 1101 | // within a sandbox for the entire lifetime of the sandbox. 1102 | message ContainerMetadata { 1103 | // Name of the container. Same as the container name in the PodSpec. 1104 | string name = 1; 1105 | // Attempt number of creating the container. Default: 0. 1106 | uint32 attempt = 2; 1107 | } 1108 | 1109 | // Device specifies a host device to mount into a container. 1110 | message Device { 1111 | // Path of the device within the container. 1112 | string container_path = 1; 1113 | // Path of the device on the host. 1114 | string host_path = 2; 1115 | // Cgroups permissions of the device, candidates are one or more of 1116 | // * r - allows container to read from the specified device. 1117 | // * w - allows container to write to the specified device. 1118 | // * m - allows container to create device files that do not yet exist. 1119 | string permissions = 3; 1120 | } 1121 | 1122 | // CDIDevice specifies a CDI device information. 1123 | message CDIDevice { 1124 | // Fully qualified CDI device name 1125 | // for example: vendor.com/gpu=gpudevice1 1126 | // see more details in the CDI specification: 1127 | // https://github.com/container-orchestrated-devices/container-device-interface/blob/main/SPEC.md 1128 | string name = 1; 1129 | } 1130 | 1131 | // ContainerConfig holds all the required and optional fields for creating a 1132 | // container. 1133 | message ContainerConfig { 1134 | // Metadata of the container. This information will uniquely identify the 1135 | // container, and the runtime should leverage this to ensure correct 1136 | // operation. The runtime may also use this information to improve UX, such 1137 | // as by constructing a readable name. 1138 | ContainerMetadata metadata = 1 ; 1139 | // Image to use. 1140 | ImageSpec image = 2; 1141 | // Command to execute (i.e., entrypoint for docker) 1142 | repeated string command = 3; 1143 | // Args for the Command (i.e., command for docker) 1144 | repeated string args = 4; 1145 | // Current working directory of the command. 1146 | string working_dir = 5; 1147 | // List of environment variable to set in the container. 1148 | repeated KeyValue envs = 6; 1149 | // Mounts for the container. 1150 | repeated Mount mounts = 7; 1151 | // Devices for the container. 1152 | repeated Device devices = 8; 1153 | // Key-value pairs that may be used to scope and select individual resources. 1154 | // Label keys are of the form: 1155 | // label-key ::= prefixed-name | name 1156 | // prefixed-name ::= prefix '/' name 1157 | // prefix ::= DNS_SUBDOMAIN 1158 | // name ::= DNS_LABEL 1159 | map labels = 9; 1160 | // Unstructured key-value map that may be used by the kubelet to store and 1161 | // retrieve arbitrary metadata. 1162 | // 1163 | // Annotations MUST NOT be altered by the runtime; the annotations stored 1164 | // here MUST be returned in the ContainerStatus associated with the container 1165 | // this ContainerConfig creates. 1166 | // 1167 | // In general, in order to preserve a well-defined interface between the 1168 | // kubelet and the container runtime, annotations SHOULD NOT influence 1169 | // runtime behaviour. 1170 | map annotations = 10; 1171 | // Path relative to PodSandboxConfig.LogDirectory for container to store 1172 | // the log (STDOUT and STDERR) on the host. 1173 | // E.g., 1174 | // PodSandboxConfig.LogDirectory = `/var/log/pods/__/` 1175 | // ContainerConfig.LogPath = `containerName/Instance#.log` 1176 | string log_path = 11; 1177 | 1178 | // Variables for interactive containers, these have very specialized 1179 | // use-cases (e.g. debugging). 1180 | bool stdin = 12; 1181 | bool stdin_once = 13; 1182 | bool tty = 14; 1183 | 1184 | // Configuration specific to Linux containers. 1185 | LinuxContainerConfig linux = 15; 1186 | // Configuration specific to Windows containers. 1187 | WindowsContainerConfig windows = 16; 1188 | 1189 | // CDI devices for the container. 1190 | repeated CDIDevice CDI_devices = 17; 1191 | 1192 | // The custom stop signal for the container 1193 | Signal stop_signal = 18; 1194 | } 1195 | 1196 | enum Signal { 1197 | RUNTIME_DEFAULT = 0; 1198 | SIGABRT = 1; 1199 | SIGALRM = 2; 1200 | SIGBUS = 3; 1201 | SIGCHLD = 4; 1202 | SIGCLD = 5; 1203 | SIGCONT = 6; 1204 | SIGFPE = 7; 1205 | SIGHUP = 8; 1206 | SIGILL = 9; 1207 | SIGINT = 10; 1208 | SIGIO = 11; 1209 | SIGIOT = 12; 1210 | SIGKILL = 13; 1211 | SIGPIPE = 14; 1212 | SIGPOLL = 15; 1213 | SIGPROF = 16; 1214 | SIGPWR = 17; 1215 | SIGQUIT = 18; 1216 | SIGSEGV = 19; 1217 | SIGSTKFLT = 20; 1218 | SIGSTOP = 21; 1219 | SIGSYS = 22; 1220 | SIGTERM = 23; 1221 | SIGTRAP = 24; 1222 | SIGTSTP = 25; 1223 | SIGTTIN = 26; 1224 | SIGTTOU = 27; 1225 | SIGURG = 28; 1226 | SIGUSR1 = 29; 1227 | SIGUSR2 = 30; 1228 | SIGVTALRM = 31; 1229 | SIGWINCH = 32; 1230 | SIGXCPU = 33; 1231 | SIGXFSZ = 34; 1232 | SIGRTMIN = 35; 1233 | SIGRTMINPLUS1 = 36; 1234 | SIGRTMINPLUS2 = 37; 1235 | SIGRTMINPLUS3 = 38; 1236 | SIGRTMINPLUS4 = 39; 1237 | SIGRTMINPLUS5 = 40; 1238 | SIGRTMINPLUS6 = 41; 1239 | SIGRTMINPLUS7 = 42; 1240 | SIGRTMINPLUS8 = 43; 1241 | SIGRTMINPLUS9 = 44; 1242 | SIGRTMINPLUS10 = 45; 1243 | SIGRTMINPLUS11 = 46; 1244 | SIGRTMINPLUS12 = 47; 1245 | SIGRTMINPLUS13 = 48; 1246 | SIGRTMINPLUS14 = 49; 1247 | SIGRTMINPLUS15 = 50; 1248 | SIGRTMAXMINUS14 = 51; 1249 | SIGRTMAXMINUS13 = 52; 1250 | SIGRTMAXMINUS12 = 53; 1251 | SIGRTMAXMINUS11 = 54; 1252 | SIGRTMAXMINUS10 = 55; 1253 | SIGRTMAXMINUS9 = 56; 1254 | SIGRTMAXMINUS8 = 57; 1255 | SIGRTMAXMINUS7 = 58; 1256 | SIGRTMAXMINUS6 = 59; 1257 | SIGRTMAXMINUS5 = 60; 1258 | SIGRTMAXMINUS4 = 61; 1259 | SIGRTMAXMINUS3 = 62; 1260 | SIGRTMAXMINUS2 = 63; 1261 | SIGRTMAXMINUS1 = 64; 1262 | SIGRTMAX = 65; 1263 | } 1264 | 1265 | message CreateContainerRequest { 1266 | // ID of the PodSandbox in which the container should be created. 1267 | string pod_sandbox_id = 1; 1268 | // Config of the container. 1269 | ContainerConfig config = 2; 1270 | // Config of the PodSandbox. This is the same config that was passed 1271 | // to RunPodSandboxRequest to create the PodSandbox. It is passed again 1272 | // here just for easy reference. The PodSandboxConfig is immutable and 1273 | // remains the same throughout the lifetime of the pod. 1274 | PodSandboxConfig sandbox_config = 3; 1275 | } 1276 | 1277 | message CreateContainerResponse { 1278 | // ID of the created container. 1279 | string container_id = 1; 1280 | } 1281 | 1282 | message StartContainerRequest { 1283 | // ID of the container to start. 1284 | string container_id = 1; 1285 | } 1286 | 1287 | message StartContainerResponse {} 1288 | 1289 | message StopContainerRequest { 1290 | // ID of the container to stop. 1291 | string container_id = 1; 1292 | // Timeout in seconds to wait for the container to stop before forcibly 1293 | // terminating it. Default: 0 (forcibly terminate the container immediately) 1294 | int64 timeout = 2; 1295 | } 1296 | 1297 | message StopContainerResponse {} 1298 | 1299 | message RemoveContainerRequest { 1300 | // ID of the container to remove. 1301 | string container_id = 1; 1302 | } 1303 | 1304 | message RemoveContainerResponse {} 1305 | 1306 | enum ContainerState { 1307 | CONTAINER_CREATED = 0; 1308 | CONTAINER_RUNNING = 1; 1309 | CONTAINER_EXITED = 2; 1310 | CONTAINER_UNKNOWN = 3; 1311 | } 1312 | 1313 | // ContainerStateValue is the wrapper of ContainerState. 1314 | message ContainerStateValue { 1315 | // State of the container. 1316 | ContainerState state = 1; 1317 | } 1318 | 1319 | // ContainerFilter is used to filter containers. 1320 | // All those fields are combined with 'AND' 1321 | message ContainerFilter { 1322 | // ID of the container. 1323 | string id = 1; 1324 | // State of the container. 1325 | ContainerStateValue state = 2; 1326 | // ID of the PodSandbox. 1327 | string pod_sandbox_id = 3; 1328 | // LabelSelector to select matches. 1329 | // Only api.MatchLabels is supported for now and the requirements 1330 | // are ANDed. MatchExpressions is not supported yet. 1331 | map label_selector = 4; 1332 | } 1333 | 1334 | message ListContainersRequest { 1335 | ContainerFilter filter = 1; 1336 | } 1337 | 1338 | // Container provides the runtime information for a container, such as ID, hash, 1339 | // state of the container. 1340 | message Container { 1341 | // ID of the container, used by the container runtime to identify 1342 | // a container. 1343 | string id = 1; 1344 | // ID of the sandbox to which this container belongs. 1345 | string pod_sandbox_id = 2; 1346 | // Metadata of the container. 1347 | ContainerMetadata metadata = 3; 1348 | // Spec of the image. 1349 | ImageSpec image = 4; 1350 | // Digested reference to the image in use. 1351 | string image_ref = 5; 1352 | // State of the container. 1353 | ContainerState state = 6; 1354 | // Creation time of the container in nanoseconds. 1355 | int64 created_at = 7; 1356 | // Key-value pairs that may be used to scope and select individual resources. 1357 | map labels = 8; 1358 | // Unstructured key-value map holding arbitrary metadata. 1359 | // Annotations MUST NOT be altered by the runtime; the value of this field 1360 | // MUST be identical to that of the corresponding ContainerConfig used to 1361 | // instantiate this Container. 1362 | map annotations = 9; 1363 | // Reference to the unique identifier of the image, on the node, as 1364 | // returned in the image service apis. 1365 | // 1366 | // Note: The image_ref above has been historically used by container 1367 | // runtimes to reference images by digest. The image_ref has been also used 1368 | // in the kubelet image garbage collection, which does not work with 1369 | // digests at all. To separate and avoid possible misusage, we now 1370 | // introduce the image_id field, which should always refer to a unique 1371 | // image identifier on the node. 1372 | string image_id = 10; 1373 | } 1374 | 1375 | message ListContainersResponse { 1376 | // List of containers. 1377 | repeated Container containers = 1; 1378 | } 1379 | 1380 | message ContainerStatusRequest { 1381 | // ID of the container for which to retrieve status. 1382 | string container_id = 1; 1383 | // Verbose indicates whether to return extra information about the container. 1384 | bool verbose = 2; 1385 | } 1386 | 1387 | // ContainerStatus represents the status of a container. 1388 | message ContainerStatus { 1389 | // ID of the container. 1390 | string id = 1; 1391 | // Metadata of the container. 1392 | ContainerMetadata metadata = 2; 1393 | // Status of the container. 1394 | ContainerState state = 3; 1395 | // Creation time of the container in nanoseconds. 1396 | int64 created_at = 4; 1397 | // Start time of the container in nanoseconds. Default: 0 (not specified). 1398 | int64 started_at = 5; 1399 | // Finish time of the container in nanoseconds. Default: 0 (not specified). 1400 | int64 finished_at = 6; 1401 | // Exit code of the container. Only required when finished_at != 0. Default: 0. 1402 | int32 exit_code = 7; 1403 | // Spec of the image. 1404 | ImageSpec image = 8; 1405 | // Digested reference to the image in use. 1406 | string image_ref = 9; 1407 | // Brief CamelCase string explaining why container is in its current state. 1408 | // Must be set to "OOMKilled" for containers terminated by cgroup-based Out-of-Memory killer. 1409 | string reason = 10; 1410 | // Human-readable message indicating details about why container is in its 1411 | // current state. 1412 | string message = 11; 1413 | // Key-value pairs that may be used to scope and select individual resources. 1414 | map labels = 12; 1415 | // Unstructured key-value map holding arbitrary metadata. 1416 | // Annotations MUST NOT be altered by the runtime; the value of this field 1417 | // MUST be identical to that of the corresponding ContainerConfig used to 1418 | // instantiate the Container this status represents. 1419 | map annotations = 13; 1420 | // Mounts for the container. 1421 | repeated Mount mounts = 14; 1422 | // Log path of container. 1423 | string log_path = 15; 1424 | // Resource limits configuration of the container. 1425 | ContainerResources resources = 16; 1426 | // Reference to the unique identifier of the image, on the node, as 1427 | // returned in the image service apis. 1428 | // 1429 | // Note: The image_ref above has been historically used by container 1430 | // runtimes to reference images by digest. To separate and avoid possible 1431 | // misusage, we now introduce the image_id field, which should always refer 1432 | // to a unique image identifier on the node. 1433 | string image_id = 17; 1434 | // User identities initially attached to the container 1435 | ContainerUser user = 18; 1436 | 1437 | // Returns the stop signal used by the container runtime to terminate the container 1438 | Signal stop_signal = 19; 1439 | } 1440 | 1441 | message ContainerStatusResponse { 1442 | // Status of the container. 1443 | ContainerStatus status = 1; 1444 | // Info is extra information of the Container. The key could be arbitrary string, and 1445 | // value should be in json format. The information could include anything useful for 1446 | // debug, e.g. pid for linux container based container runtime. 1447 | // It should only be returned non-empty when Verbose is true. 1448 | map info = 2; 1449 | } 1450 | 1451 | // ContainerResources holds resource limits configuration for a container. 1452 | message ContainerResources { 1453 | // Resource limits configuration specific to Linux container. 1454 | LinuxContainerResources linux = 1; 1455 | // Resource limits configuration specific to Windows container. 1456 | WindowsContainerResources windows = 2; 1457 | } 1458 | 1459 | message ContainerUser { 1460 | // User identities initially attached to first process in the Linux container. 1461 | // Note that the actual running identity can be changed if the process has enough privilege to do so. 1462 | LinuxContainerUser linux = 1; 1463 | 1464 | // User identities initially attached to first process in the Windows container 1465 | // This is just reserved for future use. 1466 | // WindowsContainerUser windows = 2; 1467 | } 1468 | 1469 | 1470 | message UpdateContainerResourcesRequest { 1471 | // ID of the container to update. 1472 | string container_id = 1; 1473 | // Resource configuration specific to Linux containers. 1474 | LinuxContainerResources linux = 2; 1475 | // Resource configuration specific to Windows containers. 1476 | WindowsContainerResources windows = 3; 1477 | // Unstructured key-value map holding arbitrary additional information for 1478 | // container resources updating. This can be used for specifying experimental 1479 | // resources to update or other options to use when updating the container. 1480 | map annotations = 4; 1481 | } 1482 | 1483 | message UpdateContainerResourcesResponse {} 1484 | 1485 | message ExecSyncRequest { 1486 | // ID of the container. 1487 | string container_id = 1; 1488 | // Command to execute. 1489 | repeated string cmd = 2; 1490 | // Timeout in seconds to stop the command. Default: 0 (run forever). 1491 | int64 timeout = 3; 1492 | } 1493 | 1494 | message ExecSyncResponse { 1495 | // Captured command stdout output. 1496 | // The runtime should cap the output of this response to 16MB. 1497 | // If the stdout of the command produces more than 16MB, the remaining output 1498 | // should be discarded, and the command should proceed with no error. 1499 | // See CVE-2022-1708 and CVE-2022-31030 for more information. 1500 | bytes stdout = 1; 1501 | // Captured command stderr output. 1502 | // The runtime should cap the output of this response to 16MB. 1503 | // If the stderr of the command produces more than 16MB, the remaining output 1504 | // should be discarded, and the command should proceed with no error. 1505 | // See CVE-2022-1708 and CVE-2022-31030 for more information. 1506 | bytes stderr = 2; 1507 | // Exit code the command finished with. Default: 0 (success). 1508 | int32 exit_code = 3; 1509 | } 1510 | 1511 | message ExecRequest { 1512 | // ID of the container in which to execute the command. 1513 | string container_id = 1; 1514 | // Command to execute. 1515 | repeated string cmd = 2; 1516 | // Whether to exec the command in a TTY. 1517 | bool tty = 3; 1518 | // Whether to stream stdin. 1519 | // One of `stdin`, `stdout`, and `stderr` MUST be true. 1520 | bool stdin = 4; 1521 | // Whether to stream stdout. 1522 | // One of `stdin`, `stdout`, and `stderr` MUST be true. 1523 | bool stdout = 5; 1524 | // Whether to stream stderr. 1525 | // One of `stdin`, `stdout`, and `stderr` MUST be true. 1526 | // If `tty` is true, `stderr` MUST be false. Multiplexing is not supported 1527 | // in this case. The output of stdout and stderr will be combined to a 1528 | // single stream. 1529 | bool stderr = 6; 1530 | } 1531 | 1532 | message ExecResponse { 1533 | // Fully qualified URL of the exec streaming server. 1534 | string url = 1; 1535 | } 1536 | 1537 | message AttachRequest { 1538 | // ID of the container to which to attach. 1539 | string container_id = 1; 1540 | // Whether to stream stdin. 1541 | // One of `stdin`, `stdout`, and `stderr` MUST be true. 1542 | bool stdin = 2; 1543 | // Whether the process being attached is running in a TTY. 1544 | // This must match the TTY setting in the ContainerConfig. 1545 | bool tty = 3; 1546 | // Whether to stream stdout. 1547 | // One of `stdin`, `stdout`, and `stderr` MUST be true. 1548 | bool stdout = 4; 1549 | // Whether to stream stderr. 1550 | // One of `stdin`, `stdout`, and `stderr` MUST be true. 1551 | // If `tty` is true, `stderr` MUST be false. Multiplexing is not supported 1552 | // in this case. The output of stdout and stderr will be combined to a 1553 | // single stream. 1554 | bool stderr = 5; 1555 | } 1556 | 1557 | message AttachResponse { 1558 | // Fully qualified URL of the attach streaming server. 1559 | string url = 1; 1560 | } 1561 | 1562 | message PortForwardRequest { 1563 | // ID of the container to which to forward the port. 1564 | string pod_sandbox_id = 1; 1565 | // Port to forward. 1566 | repeated int32 port = 2; 1567 | } 1568 | 1569 | message PortForwardResponse { 1570 | // Fully qualified URL of the port-forward streaming server. 1571 | string url = 1; 1572 | } 1573 | 1574 | message ImageFilter { 1575 | // Spec of the image. 1576 | ImageSpec image = 1; 1577 | } 1578 | 1579 | message ListImagesRequest { 1580 | // Filter to list images. 1581 | ImageFilter filter = 1; 1582 | } 1583 | 1584 | // Basic information about a container image. 1585 | message Image { 1586 | // ID of the image. 1587 | string id = 1; 1588 | // Other names by which this image is known. 1589 | repeated string repo_tags = 2; 1590 | // Digests by which this image is known. 1591 | repeated string repo_digests = 3; 1592 | // Size of the image in bytes. Must be > 0. 1593 | uint64 size = 4; 1594 | // UID that will run the command(s). This is used as a default if no user is 1595 | // specified when creating the container. UID and the following user name 1596 | // are mutually exclusive. 1597 | Int64Value uid = 5; 1598 | // User name that will run the command(s). This is used if UID is not set 1599 | // and no user is specified when creating container. 1600 | string username = 6; 1601 | // ImageSpec for image which includes annotations 1602 | ImageSpec spec = 7; 1603 | // Recommendation on whether this image should be exempt from garbage collection. 1604 | // It must only be treated as a recommendation -- the client can still request that the image be deleted, 1605 | // and the runtime must oblige. 1606 | bool pinned = 8; 1607 | } 1608 | 1609 | message ListImagesResponse { 1610 | // List of images. 1611 | repeated Image images = 1; 1612 | } 1613 | 1614 | message ImageStatusRequest { 1615 | // Spec of the image. 1616 | ImageSpec image = 1; 1617 | // Verbose indicates whether to return extra information about the image. 1618 | bool verbose = 2; 1619 | } 1620 | 1621 | message ImageStatusResponse { 1622 | // Status of the image. 1623 | Image image = 1; 1624 | // Info is extra information of the Image. The key could be arbitrary string, and 1625 | // value should be in json format. The information could include anything useful 1626 | // for debug, e.g. image config for oci image based container runtime. 1627 | // It should only be returned non-empty when Verbose is true. 1628 | map info = 2; 1629 | } 1630 | 1631 | // AuthConfig contains authorization information for connecting to a registry. 1632 | message AuthConfig { 1633 | string username = 1; 1634 | string password = 2; 1635 | string auth = 3; 1636 | string server_address = 4; 1637 | // IdentityToken is used to authenticate the user and get 1638 | // an access token for the registry. 1639 | string identity_token = 5; 1640 | // RegistryToken is a bearer token to be sent to a registry 1641 | string registry_token = 6; 1642 | } 1643 | 1644 | message PullImageRequest { 1645 | // Spec of the image. 1646 | ImageSpec image = 1; 1647 | // Authentication configuration for pulling the image. 1648 | AuthConfig auth = 2; 1649 | // Config of the PodSandbox, which is used to pull image in PodSandbox context. 1650 | PodSandboxConfig sandbox_config = 3; 1651 | } 1652 | 1653 | message PullImageResponse { 1654 | // Reference to the image in use. For most runtimes, this should be an 1655 | // image ID or digest. 1656 | string image_ref = 1; 1657 | } 1658 | 1659 | message RemoveImageRequest { 1660 | // Spec of the image to remove. 1661 | ImageSpec image = 1; 1662 | } 1663 | 1664 | message RemoveImageResponse {} 1665 | 1666 | message NetworkConfig { 1667 | // CIDR to use for pod IP addresses. If the CIDR is empty, runtimes 1668 | // should omit it. 1669 | string pod_cidr = 1; 1670 | } 1671 | 1672 | message RuntimeConfig { 1673 | NetworkConfig network_config = 1; 1674 | } 1675 | 1676 | message UpdateRuntimeConfigRequest { 1677 | RuntimeConfig runtime_config = 1; 1678 | } 1679 | 1680 | message UpdateRuntimeConfigResponse {} 1681 | 1682 | // RuntimeCondition contains condition information for the runtime. 1683 | // There are 2 kinds of runtime conditions: 1684 | // 1. Required conditions: Conditions are required for kubelet to work 1685 | // properly. If any required condition is unmet, the node will be not ready. 1686 | // The required conditions include: 1687 | // * RuntimeReady: RuntimeReady means the runtime is up and ready to accept 1688 | // basic containers e.g. container only needs host network. 1689 | // * NetworkReady: NetworkReady means the runtime network is up and ready to 1690 | // accept containers which require container network. 1691 | // 2. Optional conditions: Conditions are informative to the user, but kubelet 1692 | // will not rely on. Since condition type is an arbitrary string, all conditions 1693 | // not required are optional. These conditions will be exposed to users to help 1694 | // them understand the status of the system. 1695 | message RuntimeCondition { 1696 | // Type of runtime condition. 1697 | string type = 1; 1698 | // Status of the condition, one of true/false. Default: false. 1699 | bool status = 2; 1700 | // Brief CamelCase string containing reason for the condition's last transition. 1701 | string reason = 3; 1702 | // Human-readable message indicating details about last transition. 1703 | string message = 4; 1704 | } 1705 | 1706 | // RuntimeStatus is information about the current status of the runtime. 1707 | message RuntimeStatus { 1708 | // List of current observed runtime conditions. 1709 | repeated RuntimeCondition conditions = 1; 1710 | } 1711 | 1712 | message StatusRequest { 1713 | // Verbose indicates whether to return extra information about the runtime. 1714 | bool verbose = 1; 1715 | } 1716 | 1717 | // RuntimeHandlerFeatures is a set of features implemented by the runtime handler. 1718 | message RuntimeHandlerFeatures { 1719 | // recursive_read_only_mounts is set to true if the runtime handler supports 1720 | // recursive read-only mounts. 1721 | // For runc-compatible runtimes, availability of this feature can be detected by checking whether 1722 | // the Linux kernel version is >= 5.12, and, `runc features | jq .mountOptions` contains "rro". 1723 | bool recursive_read_only_mounts = 1; 1724 | 1725 | // user_namespaces is set to true if the runtime handler supports user namespaces as implemented 1726 | // in Kubernetes. This means support for both, user namespaces and idmap mounts. 1727 | bool user_namespaces = 2; 1728 | } 1729 | 1730 | message RuntimeHandler { 1731 | // Name must be unique in StatusResponse. 1732 | // An empty string denotes the default handler. 1733 | string name = 1; 1734 | // Supported features. 1735 | RuntimeHandlerFeatures features = 2; 1736 | } 1737 | 1738 | // RuntimeFeatures describes the set of features implemented by the CRI implementation. 1739 | // The features contained in the RuntimeFeatures should depend only on the cri implementation 1740 | // independent of runtime handlers. 1741 | message RuntimeFeatures { 1742 | // supplemental_groups_policy is set to true if the runtime supports SupplementalGroupsPolicy and ContainerUser. 1743 | bool supplemental_groups_policy = 1; 1744 | } 1745 | 1746 | message StatusResponse { 1747 | // Status of the Runtime. 1748 | RuntimeStatus status = 1; 1749 | // Info is extra information of the Runtime. The key could be arbitrary string, and 1750 | // value should be in json format. The information could include anything useful for 1751 | // debug, e.g. plugins used by the container runtime. 1752 | // It should only be returned non-empty when Verbose is true. 1753 | map info = 2; 1754 | // Runtime handlers. 1755 | repeated RuntimeHandler runtime_handlers = 3; 1756 | // features describes the set of features implemented by the CRI implementation. 1757 | // This field is supposed to propagate to NodeFeatures in Kubernetes API. 1758 | RuntimeFeatures features = 4; 1759 | } 1760 | 1761 | message ImageFsInfoRequest {} 1762 | 1763 | // UInt64Value is the wrapper of uint64. 1764 | message UInt64Value { 1765 | // The value. 1766 | uint64 value = 1; 1767 | } 1768 | 1769 | // FilesystemIdentifier uniquely identify the filesystem. 1770 | message FilesystemIdentifier{ 1771 | // Mountpoint of a filesystem. 1772 | string mountpoint = 1; 1773 | } 1774 | 1775 | // FilesystemUsage provides the filesystem usage information. 1776 | message FilesystemUsage { 1777 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. 1778 | int64 timestamp = 1; 1779 | // The unique identifier of the filesystem. 1780 | FilesystemIdentifier fs_id = 2; 1781 | // UsedBytes represents the bytes used for images on the filesystem. 1782 | // This may differ from the total bytes used on the filesystem and may not 1783 | // equal CapacityBytes - AvailableBytes. 1784 | UInt64Value used_bytes = 3; 1785 | // InodesUsed represents the inodes used by the images. 1786 | // This may not equal InodesCapacity - InodesAvailable because the underlying 1787 | // filesystem may also be used for purposes other than storing images. 1788 | UInt64Value inodes_used = 4; 1789 | } 1790 | 1791 | // WindowsFilesystemUsage provides the filesystem usage information specific to Windows. 1792 | message WindowsFilesystemUsage { 1793 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. 1794 | int64 timestamp = 1; 1795 | // The unique identifier of the filesystem. 1796 | FilesystemIdentifier fs_id = 2; 1797 | // UsedBytes represents the bytes used for images on the filesystem. 1798 | // This may differ from the total bytes used on the filesystem and may not 1799 | // equal CapacityBytes - AvailableBytes. 1800 | UInt64Value used_bytes = 3; 1801 | } 1802 | 1803 | message ImageFsInfoResponse { 1804 | // Information of image filesystem(s). 1805 | repeated FilesystemUsage image_filesystems = 1; 1806 | // Information of container filesystem(s). 1807 | // This is an optional field, may be used for example if container and image 1808 | // storage are separated. 1809 | // Default will be to return this as empty. 1810 | repeated FilesystemUsage container_filesystems = 2; 1811 | } 1812 | 1813 | message ContainerStatsRequest{ 1814 | // ID of the container for which to retrieve stats. 1815 | string container_id = 1; 1816 | } 1817 | 1818 | message ContainerStatsResponse { 1819 | // Stats of the container. 1820 | ContainerStats stats = 1; 1821 | } 1822 | 1823 | message ListContainerStatsRequest{ 1824 | // Filter for the list request. 1825 | ContainerStatsFilter filter = 1; 1826 | } 1827 | 1828 | // ContainerStatsFilter is used to filter containers. 1829 | // All those fields are combined with 'AND' 1830 | message ContainerStatsFilter { 1831 | // ID of the container. 1832 | string id = 1; 1833 | // ID of the PodSandbox. 1834 | string pod_sandbox_id = 2; 1835 | // LabelSelector to select matches. 1836 | // Only api.MatchLabels is supported for now and the requirements 1837 | // are ANDed. MatchExpressions is not supported yet. 1838 | map label_selector = 3; 1839 | } 1840 | 1841 | message ListContainerStatsResponse { 1842 | // Stats of the container. 1843 | repeated ContainerStats stats = 1; 1844 | } 1845 | 1846 | // ContainerAttributes provides basic information of the container. 1847 | message ContainerAttributes { 1848 | // ID of the container. 1849 | string id = 1; 1850 | // Metadata of the container. 1851 | ContainerMetadata metadata = 2; 1852 | // Key-value pairs that may be used to scope and select individual resources. 1853 | map labels = 3; 1854 | // Unstructured key-value map holding arbitrary metadata. 1855 | // Annotations MUST NOT be altered by the runtime; the value of this field 1856 | // MUST be identical to that of the corresponding ContainerConfig used to 1857 | // instantiate the Container this status represents. 1858 | map annotations = 4; 1859 | } 1860 | 1861 | // ContainerStats provides the resource usage statistics for a container. 1862 | message ContainerStats { 1863 | // Information of the container. 1864 | ContainerAttributes attributes = 1; 1865 | // CPU usage gathered from the container. 1866 | CpuUsage cpu = 2; 1867 | // Memory usage gathered from the container. 1868 | MemoryUsage memory = 3; 1869 | // Usage of the writable layer. 1870 | FilesystemUsage writable_layer = 4; 1871 | // Swap usage gathered from the container. 1872 | SwapUsage swap = 5; 1873 | // IO usage gathered from the container. 1874 | IoUsage io = 6; 1875 | } 1876 | 1877 | // WindowsContainerStats provides the resource usage statistics for a container specific for Windows 1878 | message WindowsContainerStats { 1879 | // Information of the container. 1880 | ContainerAttributes attributes = 1; 1881 | // CPU usage gathered from the container. 1882 | WindowsCpuUsage cpu = 2; 1883 | // Memory usage gathered from the container. 1884 | WindowsMemoryUsage memory = 3; 1885 | // Usage of the writable layer. 1886 | WindowsFilesystemUsage writable_layer = 4; 1887 | } 1888 | 1889 | // PSI statistics for an individual resource. 1890 | message PsiStats { 1891 | // PSI data for all tasks in the cgroup. 1892 | PsiData Full = 1; 1893 | // PSI data for some tasks in the cgroup. 1894 | PsiData Some = 2; 1895 | } 1896 | 1897 | // PSI data for an individual resource. 1898 | message PsiData { 1899 | // Total time duration for tasks in the cgroup have waited due to congestion. 1900 | // Unit: nanoseconds. 1901 | uint64 Total = 1; 1902 | // The average (in %) tasks have waited due to congestion over a 10 second window. 1903 | double Avg10 = 2; 1904 | // The average (in %) tasks have waited due to congestion over a 60 second window. 1905 | double Avg60 = 3; 1906 | // The average (in %) tasks have waited due to congestion over a 300 second window. 1907 | double Avg300 = 4; 1908 | } 1909 | 1910 | // CpuUsage provides the CPU usage information. 1911 | message CpuUsage { 1912 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. 1913 | int64 timestamp = 1; 1914 | // Cumulative CPU usage (sum across all cores) since object creation. 1915 | UInt64Value usage_core_nano_seconds = 2; 1916 | // Total CPU usage (sum of all cores) averaged over the sample window. 1917 | // The "core" unit can be interpreted as CPU core-nanoseconds per second. 1918 | UInt64Value usage_nano_cores = 3; 1919 | // CPU PSI statistics. 1920 | PsiStats psi = 4; 1921 | } 1922 | 1923 | // WindowsCpuUsage provides the CPU usage information specific to Windows 1924 | message WindowsCpuUsage { 1925 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. 1926 | int64 timestamp = 1; 1927 | // Cumulative CPU usage (sum across all cores) since object creation. 1928 | UInt64Value usage_core_nano_seconds = 2; 1929 | // Total CPU usage (sum of all cores) averaged over the sample window. 1930 | // The "core" unit can be interpreted as CPU core-nanoseconds per second. 1931 | UInt64Value usage_nano_cores = 3; 1932 | } 1933 | 1934 | // MemoryUsage provides the memory usage information. 1935 | message MemoryUsage { 1936 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. 1937 | int64 timestamp = 1; 1938 | // The amount of working set memory in bytes. 1939 | UInt64Value working_set_bytes = 2; 1940 | // Available memory for use. This is defined as the memory limit - workingSetBytes. 1941 | UInt64Value available_bytes = 3; 1942 | // Total memory in use. This includes all memory regardless of when it was accessed. 1943 | UInt64Value usage_bytes = 4; 1944 | // The amount of anonymous and swap cache memory (includes transparent hugepages). 1945 | UInt64Value rss_bytes = 5; 1946 | // Cumulative number of minor page faults. 1947 | UInt64Value page_faults = 6; 1948 | // Cumulative number of major page faults. 1949 | UInt64Value major_page_faults = 7; 1950 | // Memory PSI statistics. 1951 | PsiStats psi = 8; 1952 | } 1953 | 1954 | message IoUsage { 1955 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. 1956 | int64 timestamp = 1; 1957 | // IO PSI statistics. 1958 | PsiStats psi = 2; 1959 | } 1960 | 1961 | message SwapUsage { 1962 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. 1963 | int64 timestamp = 1; 1964 | // Available swap for use. This is defined as the swap limit - swapUsageBytes. 1965 | UInt64Value swap_available_bytes = 2; 1966 | // Total memory in use. This includes all memory regardless of when it was accessed. 1967 | UInt64Value swap_usage_bytes = 3; 1968 | } 1969 | 1970 | // WindowsMemoryUsage provides the memory usage information specific to Windows 1971 | message WindowsMemoryUsage { 1972 | // Timestamp in nanoseconds at which the information were collected. Must be > 0. 1973 | int64 timestamp = 1; 1974 | // The amount of working set memory in bytes. 1975 | UInt64Value working_set_bytes = 2; 1976 | // Available memory for use. This is defined as the memory limit - commit_memory_bytes. 1977 | UInt64Value available_bytes = 3; 1978 | // Cumulative number of page faults. 1979 | UInt64Value page_faults = 4; 1980 | // Total commit memory in use. Commit memory is total of physical and virtual memory in use. 1981 | UInt64Value commit_memory_bytes = 5; 1982 | } 1983 | 1984 | message ReopenContainerLogRequest { 1985 | // ID of the container for which to reopen the log. 1986 | string container_id = 1; 1987 | } 1988 | 1989 | message ReopenContainerLogResponse{ 1990 | } 1991 | 1992 | message CheckpointContainerRequest { 1993 | // ID of the container to be checkpointed. 1994 | string container_id = 1; 1995 | // Location of the checkpoint archive used for export 1996 | string location = 2; 1997 | // Timeout in seconds for the checkpoint to complete. 1998 | // Timeout of zero means to use the CRI default. 1999 | // Timeout > 0 means to use the user specified timeout. 2000 | int64 timeout = 3; 2001 | } 2002 | 2003 | message CheckpointContainerResponse {} 2004 | 2005 | message GetEventsRequest {} 2006 | 2007 | message ContainerEventResponse { 2008 | // ID of the container 2009 | string container_id = 1; 2010 | 2011 | // Type of the container event 2012 | ContainerEventType container_event_type = 2; 2013 | 2014 | // Creation timestamp in nanoseconds of this event 2015 | int64 created_at = 3; 2016 | 2017 | // Sandbox status 2018 | PodSandboxStatus pod_sandbox_status = 4; 2019 | 2020 | // Container statuses 2021 | repeated ContainerStatus containers_statuses = 5; 2022 | } 2023 | 2024 | enum ContainerEventType { 2025 | // Container created 2026 | CONTAINER_CREATED_EVENT = 0; 2027 | 2028 | // Container started 2029 | CONTAINER_STARTED_EVENT = 1; 2030 | 2031 | // Container stopped 2032 | CONTAINER_STOPPED_EVENT = 2; 2033 | 2034 | // Container deleted 2035 | CONTAINER_DELETED_EVENT = 3; 2036 | } 2037 | 2038 | message ListMetricDescriptorsRequest {} 2039 | 2040 | message ListMetricDescriptorsResponse { 2041 | repeated MetricDescriptor descriptors = 1; 2042 | } 2043 | 2044 | message MetricDescriptor { 2045 | // The name field will be used as a unique identifier of this MetricDescriptor, 2046 | // and be used in conjunction with the Metric structure to populate the full Metric. 2047 | string name = 1; 2048 | string help = 2; 2049 | // When a metric uses this metric descriptor, it should only define 2050 | // labels that have previously been declared in label_keys. 2051 | // It is the responsibility of the runtime to correctly keep sorted the keys and values. 2052 | // If the two slices have different length, the behavior is undefined. 2053 | repeated string label_keys = 3; 2054 | } 2055 | 2056 | message ListPodSandboxMetricsRequest {} 2057 | 2058 | message ListPodSandboxMetricsResponse { 2059 | repeated PodSandboxMetrics pod_metrics = 1; 2060 | } 2061 | 2062 | message PodSandboxMetrics { 2063 | string pod_sandbox_id = 1; 2064 | repeated Metric metrics = 2; 2065 | repeated ContainerMetrics container_metrics = 3; 2066 | } 2067 | 2068 | message ContainerMetrics { 2069 | string container_id = 1; 2070 | repeated Metric metrics = 2; 2071 | } 2072 | 2073 | message Metric { 2074 | // Name must match a name previously returned in a MetricDescriptors call, 2075 | // otherwise, it will be ignored. 2076 | string name = 1; 2077 | // Timestamp should be 0 if the metric was gathered live. 2078 | // If it was cached, the Timestamp should reflect the time in nanoseconds it was collected. 2079 | int64 timestamp = 2; 2080 | MetricType metric_type = 3; 2081 | // The corresponding LabelValues to the LabelKeys defined in the MetricDescriptor. 2082 | // It is the responsibility of the runtime to correctly keep sorted the keys and values. 2083 | // If the two slices have different length, the behavior is undefined. 2084 | repeated string label_values = 4; 2085 | UInt64Value value = 5; 2086 | } 2087 | 2088 | enum MetricType { 2089 | COUNTER = 0; 2090 | GAUGE = 1; 2091 | } 2092 | 2093 | message RuntimeConfigRequest {} 2094 | 2095 | message RuntimeConfigResponse { 2096 | // Configuration information for Linux-based runtimes. This field contains 2097 | // global runtime configuration options that are not specific to runtime 2098 | // handlers. 2099 | LinuxRuntimeConfiguration linux = 1; 2100 | } 2101 | 2102 | message LinuxRuntimeConfiguration { 2103 | // Cgroup driver to use 2104 | // Note: this field should not change for the lifecycle of the Kubelet, 2105 | // or while there are running containers. 2106 | // The Kubelet will not re-request this after startup, and will construct the cgroup 2107 | // hierarchy assuming it is static. 2108 | // If the runtime wishes to change this value, it must be accompanied by removal of 2109 | // all pods, and a restart of the Kubelet. The easiest way to do this is with a full node reboot. 2110 | CgroupDriver cgroup_driver = 1; 2111 | } 2112 | 2113 | enum CgroupDriver { 2114 | SYSTEMD = 0; 2115 | CGROUPFS = 1; 2116 | } 2117 | 2118 | message UpdatePodSandboxResourcesRequest { 2119 | // ID of the PodSandbox to update. 2120 | string pod_sandbox_id = 1; 2121 | 2122 | // Optional overhead represents the overheads associated with this sandbox 2123 | LinuxContainerResources overhead = 2; 2124 | // Optional resources represents the sum of container resources for this sandbox 2125 | LinuxContainerResources resources = 3; 2126 | } 2127 | 2128 | message UpdatePodSandboxResourcesResponse {} 2129 | -------------------------------------------------------------------------------- /pkg/apis/runtime/v1/constants.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2020 The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package v1 18 | 19 | // This file contains all constants defined in CRI. 20 | 21 | // Required runtime condition type. 22 | const ( 23 | // RuntimeReady means the runtime is up and ready to accept basic containers. 24 | RuntimeReady = "RuntimeReady" 25 | // NetworkReady means the runtime network is up and ready to accept containers which require network. 26 | NetworkReady = "NetworkReady" 27 | ) 28 | 29 | // LogStreamType is the type of the stream in CRI container log. 30 | type LogStreamType string 31 | 32 | const ( 33 | // Stdout is the stream type for stdout. 34 | Stdout LogStreamType = "stdout" 35 | // Stderr is the stream type for stderr. 36 | Stderr LogStreamType = "stderr" 37 | ) 38 | 39 | // LogTag is the tag of a log line in CRI container log. 40 | // Currently defined log tags: 41 | // * First tag: Partial/Full - P/F. 42 | // The field in the container log format can be extended to include multiple 43 | // tags by using a delimiter, but changes should be rare. If it becomes clear 44 | // that better extensibility is desired, a more extensible format (e.g., json) 45 | // should be adopted as a replacement and/or addition. 46 | type LogTag string 47 | 48 | const ( 49 | // LogTagPartial means the line is part of multiple lines. 50 | LogTagPartial LogTag = "P" 51 | // LogTagFull means the line is a single full line or the end of multiple lines. 52 | LogTagFull LogTag = "F" 53 | // LogTagDelimiter is the delimiter for different log tags. 54 | LogTagDelimiter = ":" 55 | ) 56 | -------------------------------------------------------------------------------- /pkg/apis/services.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2016 The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package cri 18 | 19 | import ( 20 | "context" 21 | "time" 22 | 23 | runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" 24 | ) 25 | 26 | // RuntimeVersioner contains methods for runtime name, version and API version. 27 | type RuntimeVersioner interface { 28 | // Version returns the runtime name, runtime version and runtime API version 29 | Version(ctx context.Context, apiVersion string) (*runtimeapi.VersionResponse, error) 30 | } 31 | 32 | // ContainerManager contains methods to manipulate containers managed by a 33 | // container runtime. The methods are thread-safe. 34 | type ContainerManager interface { 35 | // CreateContainer creates a new container in specified PodSandbox. 36 | CreateContainer(ctx context.Context, podSandboxID string, config *runtimeapi.ContainerConfig, sandboxConfig *runtimeapi.PodSandboxConfig) (string, error) 37 | // StartContainer starts the container. 38 | StartContainer(ctx context.Context, containerID string) error 39 | // StopContainer stops a running container with a grace period (i.e., timeout). 40 | StopContainer(ctx context.Context, containerID string, timeout int64) error 41 | // RemoveContainer removes the container. 42 | RemoveContainer(ctx context.Context, containerID string) error 43 | // ListContainers lists all containers by filters. 44 | ListContainers(ctx context.Context, filter *runtimeapi.ContainerFilter) ([]*runtimeapi.Container, error) 45 | // ContainerStatus returns the status of the container. 46 | ContainerStatus(ctx context.Context, containerID string, verbose bool) (*runtimeapi.ContainerStatusResponse, error) 47 | // UpdateContainerResources updates ContainerConfig of the container synchronously. 48 | // If runtime fails to transactionally update the requested resources, an error is returned. 49 | UpdateContainerResources(ctx context.Context, containerID string, resources *runtimeapi.ContainerResources) error 50 | // ExecSync executes a command in the container, and returns the stdout output. 51 | // If command exits with a non-zero exit code, an error is returned. 52 | ExecSync(ctx context.Context, containerID string, cmd []string, timeout time.Duration) (stdout []byte, stderr []byte, err error) 53 | // Exec prepares a streaming endpoint to execute a command in the container, and returns the address. 54 | Exec(ctx context.Context, request *runtimeapi.ExecRequest) (*runtimeapi.ExecResponse, error) 55 | // Attach prepares a streaming endpoint to attach to a running container, and returns the address. 56 | Attach(ctx context.Context, req *runtimeapi.AttachRequest) (*runtimeapi.AttachResponse, error) 57 | // ReopenContainerLog asks runtime to reopen the stdout/stderr log file 58 | // for the container. If it returns error, new container log file MUST NOT 59 | // be created. 60 | ReopenContainerLog(ctx context.Context, ContainerID string) error 61 | // CheckpointContainer checkpoints a container 62 | CheckpointContainer(ctx context.Context, options *runtimeapi.CheckpointContainerRequest) error 63 | // GetContainerEvents gets container events from the CRI runtime 64 | GetContainerEvents(ctx context.Context, containerEventsCh chan *runtimeapi.ContainerEventResponse, connectionEstablishedCallback func(runtimeapi.RuntimeService_GetContainerEventsClient)) error 65 | } 66 | 67 | // PodSandboxManager contains methods for operating on PodSandboxes. The methods 68 | // are thread-safe. 69 | type PodSandboxManager interface { 70 | // RunPodSandbox creates and starts a pod-level sandbox. Runtimes should ensure 71 | // the sandbox is in ready state. 72 | RunPodSandbox(ctx context.Context, config *runtimeapi.PodSandboxConfig, runtimeHandler string) (string, error) 73 | // StopPodSandbox stops the sandbox. If there are any running containers in the 74 | // sandbox, they should be force terminated. 75 | StopPodSandbox(ctx context.Context, podSandboxID string) error 76 | // RemovePodSandbox removes the sandbox. If there are running containers in the 77 | // sandbox, they should be forcibly removed. 78 | RemovePodSandbox(ctx context.Context, podSandboxID string) error 79 | // PodSandboxStatus returns the Status of the PodSandbox. 80 | PodSandboxStatus(ctx context.Context, podSandboxID string, verbose bool) (*runtimeapi.PodSandboxStatusResponse, error) 81 | // ListPodSandbox returns a list of Sandbox. 82 | ListPodSandbox(ctx context.Context, filter *runtimeapi.PodSandboxFilter) ([]*runtimeapi.PodSandbox, error) 83 | // PortForward prepares a streaming endpoint to forward ports from a PodSandbox, and returns the address. 84 | PortForward(ctx context.Context, request *runtimeapi.PortForwardRequest) (*runtimeapi.PortForwardResponse, error) 85 | // UpdatePodSandboxResources synchronously updates the PodSandboxConfig with 86 | // the pod-level resource configuration. This method is called _after_ the 87 | // Kubelet reconfigures the pod-level cgroups. 88 | // This request is treated as best effort, and failure will not block the 89 | // Kubelet with proceeding with a resize. 90 | UpdatePodSandboxResources(ctx context.Context, request *runtimeapi.UpdatePodSandboxResourcesRequest) (*runtimeapi.UpdatePodSandboxResourcesResponse, error) 91 | } 92 | 93 | // ContainerStatsManager contains methods for retrieving the container 94 | // statistics. 95 | type ContainerStatsManager interface { 96 | // ContainerStats returns stats of the container. If the container does not 97 | // exist, the call returns an error. 98 | ContainerStats(ctx context.Context, containerID string) (*runtimeapi.ContainerStats, error) 99 | // ListContainerStats returns stats of all running containers. 100 | ListContainerStats(ctx context.Context, filter *runtimeapi.ContainerStatsFilter) ([]*runtimeapi.ContainerStats, error) 101 | // PodSandboxStats returns stats of the pod. If the pod does not 102 | // exist, the call returns an error. 103 | PodSandboxStats(ctx context.Context, podSandboxID string) (*runtimeapi.PodSandboxStats, error) 104 | // ListPodSandboxStats returns stats of all running pods. 105 | ListPodSandboxStats(ctx context.Context, filter *runtimeapi.PodSandboxStatsFilter) ([]*runtimeapi.PodSandboxStats, error) 106 | // ListMetricDescriptors gets the descriptors for the metrics that will be returned in ListPodSandboxMetrics. 107 | ListMetricDescriptors(ctx context.Context) ([]*runtimeapi.MetricDescriptor, error) 108 | // ListPodSandboxMetrics returns metrics of all running pods. 109 | ListPodSandboxMetrics(ctx context.Context) ([]*runtimeapi.PodSandboxMetrics, error) 110 | } 111 | 112 | // RuntimeService interface should be implemented by a container runtime. 113 | // The methods should be thread-safe. 114 | type RuntimeService interface { 115 | RuntimeVersioner 116 | ContainerManager 117 | PodSandboxManager 118 | ContainerStatsManager 119 | 120 | // UpdateRuntimeConfig updates runtime configuration if specified 121 | UpdateRuntimeConfig(ctx context.Context, runtimeConfig *runtimeapi.RuntimeConfig) error 122 | // Status returns the status of the runtime. 123 | Status(ctx context.Context, verbose bool) (*runtimeapi.StatusResponse, error) 124 | // RuntimeConfig returns the configuration information of the runtime. 125 | RuntimeConfig(ctx context.Context) (*runtimeapi.RuntimeConfigResponse, error) 126 | } 127 | 128 | // ImageManagerService interface should be implemented by a container image 129 | // manager. 130 | // The methods should be thread-safe. 131 | type ImageManagerService interface { 132 | // ListImages lists the existing images. 133 | ListImages(ctx context.Context, filter *runtimeapi.ImageFilter) ([]*runtimeapi.Image, error) 134 | // ImageStatus returns the status of the image. 135 | ImageStatus(ctx context.Context, image *runtimeapi.ImageSpec, verbose bool) (*runtimeapi.ImageStatusResponse, error) 136 | // PullImage pulls an image with the authentication config. 137 | PullImage(ctx context.Context, image *runtimeapi.ImageSpec, auth *runtimeapi.AuthConfig, podSandboxConfig *runtimeapi.PodSandboxConfig) (string, error) 138 | // RemoveImage removes the image. 139 | RemoveImage(ctx context.Context, image *runtimeapi.ImageSpec) error 140 | // ImageFsInfo returns information of the filesystem(s) used to store the read-only layers and the writeable layer. 141 | ImageFsInfo(ctx context.Context) (*runtimeapi.ImageFsInfoResponse, error) 142 | } 143 | -------------------------------------------------------------------------------- /pkg/apis/testing/fake_image_service.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2016 The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package testing 18 | 19 | import ( 20 | "context" 21 | "sync" 22 | "testing" 23 | 24 | "github.com/stretchr/testify/assert" 25 | 26 | runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" 27 | ) 28 | 29 | // FakeImageService fakes the image service. 30 | type FakeImageService struct { 31 | sync.Mutex 32 | 33 | FakeImageSize uint64 34 | Called []string 35 | Errors map[string][]error 36 | Images map[string]*runtimeapi.Image 37 | Pinned map[string]bool 38 | 39 | pulledImages []*pulledImage 40 | 41 | FakeFilesystemUsage []*runtimeapi.FilesystemUsage 42 | FakeContainerFilesystemUsage []*runtimeapi.FilesystemUsage 43 | } 44 | 45 | // SetFakeImages sets the list of fake images for the FakeImageService. 46 | func (r *FakeImageService) SetFakeImages(images []string) { 47 | r.Lock() 48 | defer r.Unlock() 49 | 50 | r.Images = make(map[string]*runtimeapi.Image) 51 | for _, image := range images { 52 | r.Images[image] = r.makeFakeImage( 53 | &runtimeapi.ImageSpec{ 54 | Image: image, 55 | Annotations: make(map[string]string)}) 56 | } 57 | } 58 | 59 | // SetFakeImagesWithAnnotations sets the list of fake images for the FakeImageService with annotations. 60 | func (r *FakeImageService) SetFakeImagesWithAnnotations(imageSpecs []*runtimeapi.ImageSpec) { 61 | r.Lock() 62 | defer r.Unlock() 63 | 64 | r.Images = make(map[string]*runtimeapi.Image) 65 | for _, imageSpec := range imageSpecs { 66 | r.Images[imageSpec.Image] = r.makeFakeImage(imageSpec) 67 | } 68 | } 69 | 70 | // SetFakeImageSize sets the image size for the FakeImageService. 71 | func (r *FakeImageService) SetFakeImageSize(size uint64) { 72 | r.Lock() 73 | defer r.Unlock() 74 | 75 | r.FakeImageSize = size 76 | } 77 | 78 | // SetFakeImagePinned sets the image Pinned field for one image. 79 | func (r *FakeImageService) SetFakeImagePinned(image string, pinned bool) { 80 | r.Lock() 81 | defer r.Unlock() 82 | 83 | if r.Pinned == nil { 84 | r.Pinned = make(map[string]bool) 85 | } 86 | r.Pinned[image] = pinned 87 | } 88 | 89 | // SetFakeFilesystemUsage sets the FilesystemUsage for FakeImageService. 90 | func (r *FakeImageService) SetFakeFilesystemUsage(usage []*runtimeapi.FilesystemUsage) { 91 | r.Lock() 92 | defer r.Unlock() 93 | 94 | r.FakeFilesystemUsage = usage 95 | } 96 | 97 | // SetFakeFilesystemUsage sets the FilesystemUsage for FakeImageService. 98 | func (r *FakeImageService) SetFakeContainerFilesystemUsage(usage []*runtimeapi.FilesystemUsage) { 99 | r.Lock() 100 | defer r.Unlock() 101 | 102 | r.FakeContainerFilesystemUsage = usage 103 | } 104 | 105 | // NewFakeImageService creates a new FakeImageService. 106 | func NewFakeImageService() *FakeImageService { 107 | return &FakeImageService{ 108 | Called: make([]string, 0), 109 | Errors: make(map[string][]error), 110 | Images: make(map[string]*runtimeapi.Image), 111 | } 112 | } 113 | 114 | func (r *FakeImageService) makeFakeImage(image *runtimeapi.ImageSpec) *runtimeapi.Image { 115 | return &runtimeapi.Image{ 116 | Id: image.Image, 117 | Size_: r.FakeImageSize, 118 | Spec: image, 119 | RepoTags: []string{image.Image}, 120 | Pinned: r.Pinned[image.Image], 121 | } 122 | } 123 | 124 | // stringInSlice returns true if s is in list 125 | func stringInSlice(s string, list []string) bool { 126 | for _, v := range list { 127 | if v == s { 128 | return true 129 | } 130 | } 131 | 132 | return false 133 | } 134 | 135 | // InjectError sets the error message for the FakeImageService. 136 | func (r *FakeImageService) InjectError(f string, err error) { 137 | r.Lock() 138 | defer r.Unlock() 139 | r.Errors[f] = append(r.Errors[f], err) 140 | } 141 | 142 | // caller of popError must grab a lock. 143 | func (r *FakeImageService) popError(f string) error { 144 | if r.Errors == nil { 145 | return nil 146 | } 147 | errs := r.Errors[f] 148 | if len(errs) == 0 { 149 | return nil 150 | } 151 | err, errs := errs[0], errs[1:] 152 | r.Errors[f] = errs 153 | return err 154 | } 155 | 156 | // ListImages returns the list of images from FakeImageService or error if it was previously set. 157 | func (r *FakeImageService) ListImages(_ context.Context, filter *runtimeapi.ImageFilter) ([]*runtimeapi.Image, error) { 158 | r.Lock() 159 | defer r.Unlock() 160 | 161 | r.Called = append(r.Called, "ListImages") 162 | if err := r.popError("ListImages"); err != nil { 163 | return nil, err 164 | } 165 | 166 | images := make([]*runtimeapi.Image, 0) 167 | for _, img := range r.Images { 168 | if filter != nil && filter.Image != nil { 169 | if !stringInSlice(filter.Image.Image, img.RepoTags) { 170 | continue 171 | } 172 | } 173 | 174 | images = append(images, img) 175 | } 176 | return images, nil 177 | } 178 | 179 | // ImageStatus returns the status of the image from the FakeImageService. 180 | func (r *FakeImageService) ImageStatus(_ context.Context, image *runtimeapi.ImageSpec, verbose bool) (*runtimeapi.ImageStatusResponse, error) { 181 | r.Lock() 182 | defer r.Unlock() 183 | 184 | r.Called = append(r.Called, "ImageStatus") 185 | if err := r.popError("ImageStatus"); err != nil { 186 | return nil, err 187 | } 188 | 189 | return &runtimeapi.ImageStatusResponse{Image: r.Images[image.Image]}, nil 190 | } 191 | 192 | // PullImage emulate pulling the image from the FakeImageService. 193 | func (r *FakeImageService) PullImage(_ context.Context, image *runtimeapi.ImageSpec, auth *runtimeapi.AuthConfig, podSandboxConfig *runtimeapi.PodSandboxConfig) (string, error) { 194 | r.Lock() 195 | defer r.Unlock() 196 | 197 | r.Called = append(r.Called, "PullImage") 198 | if err := r.popError("PullImage"); err != nil { 199 | return "", err 200 | } 201 | 202 | r.pulledImages = append(r.pulledImages, &pulledImage{imageSpec: image, authConfig: auth}) 203 | // ImageID should be randomized for real container runtime, but here just use 204 | // image's name for easily making fake images. 205 | imageID := image.Image 206 | if _, ok := r.Images[imageID]; !ok { 207 | r.Images[imageID] = r.makeFakeImage(image) 208 | } 209 | 210 | return imageID, nil 211 | } 212 | 213 | // RemoveImage removes image from the FakeImageService. 214 | func (r *FakeImageService) RemoveImage(_ context.Context, image *runtimeapi.ImageSpec) error { 215 | r.Lock() 216 | defer r.Unlock() 217 | 218 | r.Called = append(r.Called, "RemoveImage") 219 | if err := r.popError("RemoveImage"); err != nil { 220 | return err 221 | } 222 | 223 | // Remove the image 224 | delete(r.Images, image.Image) 225 | 226 | return nil 227 | } 228 | 229 | // ImageFsInfo returns information of the filesystem that is used to store images. 230 | func (r *FakeImageService) ImageFsInfo(_ context.Context) (*runtimeapi.ImageFsInfoResponse, error) { 231 | r.Lock() 232 | defer r.Unlock() 233 | 234 | r.Called = append(r.Called, "ImageFsInfo") 235 | if err := r.popError("ImageFsInfo"); err != nil { 236 | return nil, err 237 | } 238 | 239 | return &runtimeapi.ImageFsInfoResponse{ 240 | ImageFilesystems: r.FakeFilesystemUsage, 241 | ContainerFilesystems: r.FakeContainerFilesystemUsage, 242 | }, nil 243 | } 244 | 245 | // AssertImagePulledWithAuth validates whether the image was pulled with auth and asserts if it wasn't. 246 | func (r *FakeImageService) AssertImagePulledWithAuth(t *testing.T, image *runtimeapi.ImageSpec, auth *runtimeapi.AuthConfig, failMsg string) { 247 | r.Lock() 248 | defer r.Unlock() 249 | expected := &pulledImage{imageSpec: image, authConfig: auth} 250 | assert.Contains(t, r.pulledImages, expected, failMsg) 251 | } 252 | 253 | type pulledImage struct { 254 | imageSpec *runtimeapi.ImageSpec 255 | authConfig *runtimeapi.AuthConfig 256 | } 257 | -------------------------------------------------------------------------------- /pkg/apis/testing/fake_runtime_service.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2016 The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package testing 18 | 19 | import ( 20 | "context" 21 | "fmt" 22 | "reflect" 23 | "sync" 24 | "time" 25 | 26 | runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" 27 | ) 28 | 29 | var ( 30 | // FakeVersion is a version of a fake runtime. 31 | FakeVersion = "0.1.0" 32 | 33 | // FakeRuntimeName is the name of the fake runtime. 34 | FakeRuntimeName = "fakeRuntime" 35 | 36 | // FakePodSandboxIPs is an IP address of the fake runtime. 37 | FakePodSandboxIPs = []string{"192.168.192.168"} 38 | ) 39 | 40 | // FakePodSandbox is the fake implementation of runtimeapi.PodSandboxStatus. 41 | type FakePodSandbox struct { 42 | // PodSandboxStatus contains the runtime information for a sandbox. 43 | runtimeapi.PodSandboxStatus 44 | // RuntimeHandler is the runtime handler that was issued with the RunPodSandbox request. 45 | RuntimeHandler string 46 | } 47 | 48 | // FakeContainer is a fake container. 49 | type FakeContainer struct { 50 | // ContainerStatus contains the runtime information for a container. 51 | runtimeapi.ContainerStatus 52 | 53 | // LinuxResources contains the resources specific to linux containers. 54 | LinuxResources *runtimeapi.LinuxContainerResources 55 | 56 | // the sandbox id of this container 57 | SandboxID string 58 | } 59 | 60 | // FakeRuntimeService is a fake runetime service. 61 | type FakeRuntimeService struct { 62 | sync.Mutex 63 | 64 | Called []string 65 | Errors map[string][]error 66 | 67 | FakeStatus *runtimeapi.RuntimeStatus 68 | Containers map[string]*FakeContainer 69 | Sandboxes map[string]*FakePodSandbox 70 | FakeContainerStats map[string]*runtimeapi.ContainerStats 71 | FakePodSandboxStats map[string]*runtimeapi.PodSandboxStats 72 | FakePodSandboxMetrics map[string]*runtimeapi.PodSandboxMetrics 73 | FakeMetricDescriptors map[string]*runtimeapi.MetricDescriptor 74 | FakeContainerMetrics map[string]*runtimeapi.ContainerMetrics 75 | FakeLinuxConfiguration *runtimeapi.LinuxRuntimeConfiguration 76 | 77 | ErrorOnSandboxCreate bool 78 | } 79 | 80 | // GetContainerID returns the unique container ID from the FakeRuntimeService. 81 | func (r *FakeRuntimeService) GetContainerID(sandboxID, name string, attempt uint32) (string, error) { 82 | r.Lock() 83 | defer r.Unlock() 84 | 85 | for id, c := range r.Containers { 86 | if c.SandboxID == sandboxID && c.Metadata.Name == name && c.Metadata.Attempt == attempt { 87 | return id, nil 88 | } 89 | } 90 | return "", fmt.Errorf("container (name, attempt, sandboxID)=(%q, %d, %q) not found", name, attempt, sandboxID) 91 | } 92 | 93 | // SetFakeSandboxes sets the fake sandboxes for the FakeRuntimeService. 94 | func (r *FakeRuntimeService) SetFakeSandboxes(sandboxes []*FakePodSandbox) { 95 | r.Lock() 96 | defer r.Unlock() 97 | 98 | r.Sandboxes = make(map[string]*FakePodSandbox) 99 | for _, sandbox := range sandboxes { 100 | sandboxID := sandbox.Id 101 | r.Sandboxes[sandboxID] = sandbox 102 | } 103 | } 104 | 105 | // SetFakeContainers sets fake containers for the FakeRuntimeService. 106 | func (r *FakeRuntimeService) SetFakeContainers(containers []*FakeContainer) { 107 | r.Lock() 108 | defer r.Unlock() 109 | 110 | r.Containers = make(map[string]*FakeContainer) 111 | for _, c := range containers { 112 | containerID := c.Id 113 | r.Containers[containerID] = c 114 | } 115 | 116 | } 117 | 118 | // AssertCalls validates whether specified calls were made to the FakeRuntimeService. 119 | func (r *FakeRuntimeService) AssertCalls(calls []string) error { 120 | r.Lock() 121 | defer r.Unlock() 122 | 123 | if !reflect.DeepEqual(calls, r.Called) { 124 | return fmt.Errorf("expected %#v, got %#v", calls, r.Called) 125 | } 126 | return nil 127 | } 128 | 129 | // GetCalls returns the list of calls made to the FakeRuntimeService. 130 | func (r *FakeRuntimeService) GetCalls() []string { 131 | r.Lock() 132 | defer r.Unlock() 133 | return append([]string{}, r.Called...) 134 | } 135 | 136 | // InjectError inject the error to the next call to the FakeRuntimeService. 137 | func (r *FakeRuntimeService) InjectError(f string, err error) { 138 | r.Lock() 139 | defer r.Unlock() 140 | r.Errors[f] = append(r.Errors[f], err) 141 | } 142 | 143 | // caller of popError must grab a lock. 144 | func (r *FakeRuntimeService) popError(f string) error { 145 | if r.Errors == nil { 146 | return nil 147 | } 148 | errs := r.Errors[f] 149 | if len(errs) == 0 { 150 | return nil 151 | } 152 | err, errs := errs[0], errs[1:] 153 | r.Errors[f] = errs 154 | return err 155 | } 156 | 157 | // NewFakeRuntimeService creates a new FakeRuntimeService. 158 | func NewFakeRuntimeService() *FakeRuntimeService { 159 | return &FakeRuntimeService{ 160 | Called: make([]string, 0), 161 | Errors: make(map[string][]error), 162 | Containers: make(map[string]*FakeContainer), 163 | Sandboxes: make(map[string]*FakePodSandbox), 164 | FakeContainerStats: make(map[string]*runtimeapi.ContainerStats), 165 | FakePodSandboxStats: make(map[string]*runtimeapi.PodSandboxStats), 166 | FakePodSandboxMetrics: make(map[string]*runtimeapi.PodSandboxMetrics), 167 | FakeContainerMetrics: make(map[string]*runtimeapi.ContainerMetrics), 168 | } 169 | } 170 | 171 | // Version returns version information from the FakeRuntimeService. 172 | func (r *FakeRuntimeService) Version(_ context.Context, apiVersion string) (*runtimeapi.VersionResponse, error) { 173 | r.Lock() 174 | defer r.Unlock() 175 | 176 | r.Called = append(r.Called, "Version") 177 | if err := r.popError("Version"); err != nil { 178 | return nil, err 179 | } 180 | 181 | return &runtimeapi.VersionResponse{ 182 | Version: FakeVersion, 183 | RuntimeName: FakeRuntimeName, 184 | RuntimeVersion: FakeVersion, 185 | RuntimeApiVersion: FakeVersion, 186 | }, nil 187 | } 188 | 189 | // Status returns runtime status of the FakeRuntimeService. 190 | func (r *FakeRuntimeService) Status(_ context.Context, verbose bool) (*runtimeapi.StatusResponse, error) { 191 | r.Lock() 192 | defer r.Unlock() 193 | 194 | r.Called = append(r.Called, "Status") 195 | if err := r.popError("Status"); err != nil { 196 | return nil, err 197 | } 198 | 199 | return &runtimeapi.StatusResponse{Status: r.FakeStatus}, nil 200 | } 201 | 202 | // RunPodSandbox emulates the run of the pod sandbox in the FakeRuntimeService. 203 | func (r *FakeRuntimeService) RunPodSandbox(_ context.Context, config *runtimeapi.PodSandboxConfig, runtimeHandler string) (string, error) { 204 | r.Lock() 205 | defer r.Unlock() 206 | 207 | r.Called = append(r.Called, "RunPodSandbox") 208 | if err := r.popError("RunPodSandbox"); err != nil { 209 | return "", err 210 | } 211 | 212 | if r.ErrorOnSandboxCreate { 213 | return "", fmt.Errorf("error on sandbox create") 214 | } 215 | 216 | // PodSandboxID should be randomized for real container runtime, but here just use 217 | // fixed name from BuildSandboxName() for easily making fake sandboxes. 218 | podSandboxID := BuildSandboxName(config.Metadata) 219 | createdAt := time.Now().UnixNano() 220 | r.Sandboxes[podSandboxID] = &FakePodSandbox{ 221 | PodSandboxStatus: runtimeapi.PodSandboxStatus{ 222 | Id: podSandboxID, 223 | Metadata: config.Metadata, 224 | State: runtimeapi.PodSandboxState_SANDBOX_READY, 225 | CreatedAt: createdAt, 226 | Network: &runtimeapi.PodSandboxNetworkStatus{ 227 | Ip: FakePodSandboxIPs[0], 228 | }, 229 | // Without setting sandboxStatus's Linux.Namespaces.Options, kubeGenericRuntimeManager's podSandboxChanged will consider it as network 230 | // namespace changed and always recreate sandbox which causes pod creation failed. 231 | // Ref `sandboxStatus.GetLinux().GetNamespaces().GetOptions().GetNetwork() != networkNamespaceForPod(pod)` in podSandboxChanged function. 232 | Linux: &runtimeapi.LinuxPodSandboxStatus{ 233 | Namespaces: &runtimeapi.Namespace{ 234 | Options: config.GetLinux().GetSecurityContext().GetNamespaceOptions(), 235 | }, 236 | }, 237 | Labels: config.Labels, 238 | Annotations: config.Annotations, 239 | RuntimeHandler: runtimeHandler, 240 | }, 241 | RuntimeHandler: runtimeHandler, 242 | } 243 | // assign additional IPs 244 | additionalIPs := FakePodSandboxIPs[1:] 245 | additionalPodIPs := make([]*runtimeapi.PodIP, 0, len(additionalIPs)) 246 | for _, ip := range additionalIPs { 247 | additionalPodIPs = append(additionalPodIPs, &runtimeapi.PodIP{ 248 | Ip: ip, 249 | }) 250 | } 251 | r.Sandboxes[podSandboxID].PodSandboxStatus.Network.AdditionalIps = additionalPodIPs 252 | return podSandboxID, nil 253 | } 254 | 255 | // StopPodSandbox emulates the stop of pod sandbox in the FakeRuntimeService. 256 | func (r *FakeRuntimeService) StopPodSandbox(_ context.Context, podSandboxID string) error { 257 | r.Lock() 258 | defer r.Unlock() 259 | 260 | r.Called = append(r.Called, "StopPodSandbox") 261 | if err := r.popError("StopPodSandbox"); err != nil { 262 | return err 263 | } 264 | 265 | if s, ok := r.Sandboxes[podSandboxID]; ok { 266 | s.State = runtimeapi.PodSandboxState_SANDBOX_NOTREADY 267 | } else { 268 | return fmt.Errorf("pod sandbox %s not found", podSandboxID) 269 | } 270 | 271 | return nil 272 | } 273 | 274 | // RemovePodSandbox emulates removal of the pod sadbox in the FakeRuntimeService. 275 | func (r *FakeRuntimeService) RemovePodSandbox(_ context.Context, podSandboxID string) error { 276 | r.Lock() 277 | defer r.Unlock() 278 | 279 | r.Called = append(r.Called, "RemovePodSandbox") 280 | if err := r.popError("RemovePodSandbox"); err != nil { 281 | return err 282 | } 283 | 284 | // Remove the pod sandbox 285 | delete(r.Sandboxes, podSandboxID) 286 | 287 | return nil 288 | } 289 | 290 | // PodSandboxStatus returns pod sandbox status from the FakeRuntimeService. 291 | func (r *FakeRuntimeService) PodSandboxStatus(_ context.Context, podSandboxID string, verbose bool) (*runtimeapi.PodSandboxStatusResponse, error) { 292 | r.Lock() 293 | defer r.Unlock() 294 | 295 | r.Called = append(r.Called, "PodSandboxStatus") 296 | if err := r.popError("PodSandboxStatus"); err != nil { 297 | return nil, err 298 | } 299 | 300 | s, ok := r.Sandboxes[podSandboxID] 301 | if !ok { 302 | return nil, fmt.Errorf("pod sandbox %q not found", podSandboxID) 303 | } 304 | 305 | status := s.PodSandboxStatus 306 | return &runtimeapi.PodSandboxStatusResponse{Status: &status}, nil 307 | } 308 | 309 | // ListPodSandbox returns the list of pod sandboxes in the FakeRuntimeService. 310 | func (r *FakeRuntimeService) ListPodSandbox(_ context.Context, filter *runtimeapi.PodSandboxFilter) ([]*runtimeapi.PodSandbox, error) { 311 | r.Lock() 312 | defer r.Unlock() 313 | 314 | r.Called = append(r.Called, "ListPodSandbox") 315 | if err := r.popError("ListPodSandbox"); err != nil { 316 | return nil, err 317 | } 318 | 319 | result := make([]*runtimeapi.PodSandbox, 0) 320 | for id, s := range r.Sandboxes { 321 | if filter != nil { 322 | if filter.Id != "" && filter.Id != id { 323 | continue 324 | } 325 | if filter.State != nil && filter.GetState().State != s.State { 326 | continue 327 | } 328 | if filter.LabelSelector != nil && !filterInLabels(filter.LabelSelector, s.GetLabels()) { 329 | continue 330 | } 331 | } 332 | 333 | result = append(result, &runtimeapi.PodSandbox{ 334 | Id: s.Id, 335 | Metadata: s.Metadata, 336 | State: s.State, 337 | CreatedAt: s.CreatedAt, 338 | Labels: s.Labels, 339 | Annotations: s.Annotations, 340 | RuntimeHandler: s.RuntimeHandler, 341 | }) 342 | } 343 | 344 | return result, nil 345 | } 346 | 347 | // PortForward emulates the set up of port forward in the FakeRuntimeService. 348 | func (r *FakeRuntimeService) PortForward(context.Context, *runtimeapi.PortForwardRequest) (*runtimeapi.PortForwardResponse, error) { 349 | r.Lock() 350 | defer r.Unlock() 351 | 352 | r.Called = append(r.Called, "PortForward") 353 | if err := r.popError("PortForward"); err != nil { 354 | return nil, err 355 | } 356 | 357 | return &runtimeapi.PortForwardResponse{}, nil 358 | } 359 | 360 | // CreateContainer emulates container creation in the FakeRuntimeService. 361 | func (r *FakeRuntimeService) CreateContainer(_ context.Context, podSandboxID string, config *runtimeapi.ContainerConfig, sandboxConfig *runtimeapi.PodSandboxConfig) (string, error) { 362 | r.Lock() 363 | defer r.Unlock() 364 | 365 | r.Called = append(r.Called, "CreateContainer") 366 | if err := r.popError("CreateContainer"); err != nil { 367 | return "", err 368 | } 369 | 370 | // ContainerID should be randomized for real container runtime, but here just use 371 | // fixed BuildContainerName() for easily making fake containers. 372 | containerID := BuildContainerName(config.Metadata, podSandboxID) 373 | createdAt := time.Now().UnixNano() 374 | createdState := runtimeapi.ContainerState_CONTAINER_CREATED 375 | imageRef := config.Image.Image 376 | r.Containers[containerID] = &FakeContainer{ 377 | ContainerStatus: runtimeapi.ContainerStatus{ 378 | Id: containerID, 379 | Metadata: config.Metadata, 380 | Image: config.Image, 381 | ImageRef: imageRef, 382 | CreatedAt: createdAt, 383 | State: createdState, 384 | Labels: config.Labels, 385 | Annotations: config.Annotations, 386 | }, 387 | SandboxID: podSandboxID, 388 | LinuxResources: config.GetLinux().GetResources(), 389 | } 390 | 391 | return containerID, nil 392 | } 393 | 394 | // StartContainer emulates start of a container in the FakeRuntimeService. 395 | func (r *FakeRuntimeService) StartContainer(_ context.Context, containerID string) error { 396 | r.Lock() 397 | defer r.Unlock() 398 | 399 | r.Called = append(r.Called, "StartContainer") 400 | if err := r.popError("StartContainer"); err != nil { 401 | return err 402 | } 403 | 404 | c, ok := r.Containers[containerID] 405 | if !ok { 406 | return fmt.Errorf("container %s not found", containerID) 407 | } 408 | 409 | // Set container to running. 410 | c.State = runtimeapi.ContainerState_CONTAINER_RUNNING 411 | c.StartedAt = time.Now().UnixNano() 412 | 413 | return nil 414 | } 415 | 416 | // StopContainer emulates stop of a container in the FakeRuntimeService. 417 | func (r *FakeRuntimeService) StopContainer(_ context.Context, containerID string, timeout int64) error { 418 | r.Lock() 419 | defer r.Unlock() 420 | 421 | r.Called = append(r.Called, "StopContainer") 422 | if err := r.popError("StopContainer"); err != nil { 423 | return err 424 | } 425 | 426 | c, ok := r.Containers[containerID] 427 | if !ok { 428 | return fmt.Errorf("container %q not found", containerID) 429 | } 430 | 431 | // Set container to exited state. 432 | finishedAt := time.Now().UnixNano() 433 | exitedState := runtimeapi.ContainerState_CONTAINER_EXITED 434 | c.State = exitedState 435 | c.FinishedAt = finishedAt 436 | 437 | return nil 438 | } 439 | 440 | // RemoveContainer emulates remove of a container in the FakeRuntimeService. 441 | func (r *FakeRuntimeService) RemoveContainer(_ context.Context, containerID string) error { 442 | r.Lock() 443 | defer r.Unlock() 444 | 445 | r.Called = append(r.Called, "RemoveContainer") 446 | if err := r.popError("RemoveContainer"); err != nil { 447 | return err 448 | } 449 | 450 | // Remove the container 451 | delete(r.Containers, containerID) 452 | 453 | return nil 454 | } 455 | 456 | // ListContainers returns the list of containers in the FakeRuntimeService. 457 | func (r *FakeRuntimeService) ListContainers(_ context.Context, filter *runtimeapi.ContainerFilter) ([]*runtimeapi.Container, error) { 458 | r.Lock() 459 | defer r.Unlock() 460 | 461 | r.Called = append(r.Called, "ListContainers") 462 | if err := r.popError("ListContainers"); err != nil { 463 | return nil, err 464 | } 465 | 466 | result := make([]*runtimeapi.Container, 0) 467 | for _, s := range r.Containers { 468 | if filter != nil { 469 | if filter.Id != "" && filter.Id != s.Id { 470 | continue 471 | } 472 | if filter.PodSandboxId != "" && filter.PodSandboxId != s.SandboxID { 473 | continue 474 | } 475 | if filter.State != nil && filter.GetState().State != s.State { 476 | continue 477 | } 478 | if filter.LabelSelector != nil && !filterInLabels(filter.LabelSelector, s.GetLabels()) { 479 | continue 480 | } 481 | } 482 | 483 | result = append(result, &runtimeapi.Container{ 484 | Id: s.Id, 485 | CreatedAt: s.CreatedAt, 486 | PodSandboxId: s.SandboxID, 487 | Metadata: s.Metadata, 488 | State: s.State, 489 | Image: s.Image, 490 | ImageRef: s.ImageRef, 491 | Labels: s.Labels, 492 | Annotations: s.Annotations, 493 | }) 494 | } 495 | 496 | return result, nil 497 | } 498 | 499 | // ContainerStatus returns the container status given the container ID in FakeRuntimeService. 500 | func (r *FakeRuntimeService) ContainerStatus(_ context.Context, containerID string, verbose bool) (*runtimeapi.ContainerStatusResponse, error) { 501 | r.Lock() 502 | defer r.Unlock() 503 | 504 | r.Called = append(r.Called, "ContainerStatus") 505 | if err := r.popError("ContainerStatus"); err != nil { 506 | return nil, err 507 | } 508 | 509 | c, ok := r.Containers[containerID] 510 | if !ok { 511 | return nil, fmt.Errorf("container %q not found", containerID) 512 | } 513 | 514 | status := c.ContainerStatus 515 | return &runtimeapi.ContainerStatusResponse{Status: &status}, nil 516 | } 517 | 518 | // UpdateContainerResources returns the container resource in the FakeRuntimeService. 519 | func (r *FakeRuntimeService) UpdateContainerResources(context.Context, string, *runtimeapi.ContainerResources) error { 520 | r.Lock() 521 | defer r.Unlock() 522 | 523 | r.Called = append(r.Called, "UpdateContainerResources") 524 | return r.popError("UpdateContainerResources") 525 | } 526 | 527 | // ExecSync emulates the sync execution of a command in a container in the FakeRuntimeService. 528 | func (r *FakeRuntimeService) ExecSync(_ context.Context, containerID string, cmd []string, timeout time.Duration) (stdout []byte, stderr []byte, err error) { 529 | r.Lock() 530 | defer r.Unlock() 531 | 532 | r.Called = append(r.Called, "ExecSync") 533 | err = r.popError("ExecSync") 534 | return 535 | } 536 | 537 | // Exec emulates the execution of a command in a container in the FakeRuntimeService. 538 | func (r *FakeRuntimeService) Exec(context.Context, *runtimeapi.ExecRequest) (*runtimeapi.ExecResponse, error) { 539 | r.Lock() 540 | defer r.Unlock() 541 | 542 | r.Called = append(r.Called, "Exec") 543 | if err := r.popError("Exec"); err != nil { 544 | return nil, err 545 | } 546 | 547 | return &runtimeapi.ExecResponse{}, nil 548 | } 549 | 550 | // Attach emulates the attach request in the FakeRuntimeService. 551 | func (r *FakeRuntimeService) Attach(_ context.Context, req *runtimeapi.AttachRequest) (*runtimeapi.AttachResponse, error) { 552 | r.Lock() 553 | defer r.Unlock() 554 | 555 | r.Called = append(r.Called, "Attach") 556 | if err := r.popError("Attach"); err != nil { 557 | return nil, err 558 | } 559 | 560 | return &runtimeapi.AttachResponse{}, nil 561 | } 562 | 563 | // UpdateRuntimeConfig emulates the update of a runtime config for the FakeRuntimeService. 564 | func (r *FakeRuntimeService) UpdateRuntimeConfig(_ context.Context, runtimeCOnfig *runtimeapi.RuntimeConfig) error { 565 | r.Lock() 566 | defer r.Unlock() 567 | 568 | r.Called = append(r.Called, "UpdateRuntimeConfig") 569 | return r.popError("UpdateRuntimeConfig") 570 | } 571 | 572 | // SetFakeContainerStats sets the fake container stats in the FakeRuntimeService. 573 | func (r *FakeRuntimeService) SetFakeContainerStats(containerStats []*runtimeapi.ContainerStats) { 574 | r.Lock() 575 | defer r.Unlock() 576 | 577 | r.FakeContainerStats = make(map[string]*runtimeapi.ContainerStats) 578 | for _, s := range containerStats { 579 | r.FakeContainerStats[s.Attributes.Id] = s 580 | } 581 | } 582 | 583 | // ContainerStats returns the container stats in the FakeRuntimeService. 584 | func (r *FakeRuntimeService) ContainerStats(_ context.Context, containerID string) (*runtimeapi.ContainerStats, error) { 585 | r.Lock() 586 | defer r.Unlock() 587 | 588 | r.Called = append(r.Called, "ContainerStats") 589 | if err := r.popError("ContainerStats"); err != nil { 590 | return nil, err 591 | } 592 | 593 | s, found := r.FakeContainerStats[containerID] 594 | if !found { 595 | return nil, fmt.Errorf("no stats for container %q", containerID) 596 | } 597 | return s, nil 598 | } 599 | 600 | // ListContainerStats returns the list of all container stats given the filter in the FakeRuntimeService. 601 | func (r *FakeRuntimeService) ListContainerStats(_ context.Context, filter *runtimeapi.ContainerStatsFilter) ([]*runtimeapi.ContainerStats, error) { 602 | r.Lock() 603 | defer r.Unlock() 604 | 605 | r.Called = append(r.Called, "ListContainerStats") 606 | if err := r.popError("ListContainerStats"); err != nil { 607 | return nil, err 608 | } 609 | 610 | var result []*runtimeapi.ContainerStats 611 | for _, c := range r.Containers { 612 | if filter != nil { 613 | if filter.Id != "" && filter.Id != c.Id { 614 | continue 615 | } 616 | if filter.PodSandboxId != "" && filter.PodSandboxId != c.SandboxID { 617 | continue 618 | } 619 | if filter.LabelSelector != nil && !filterInLabels(filter.LabelSelector, c.GetLabels()) { 620 | continue 621 | } 622 | } 623 | s, found := r.FakeContainerStats[c.Id] 624 | if !found { 625 | continue 626 | } 627 | result = append(result, s) 628 | } 629 | 630 | return result, nil 631 | } 632 | 633 | // SetFakePodSandboxStats sets the fake pod sandbox stats in the FakeRuntimeService. 634 | func (r *FakeRuntimeService) SetFakePodSandboxStats(podStats []*runtimeapi.PodSandboxStats) { 635 | r.Lock() 636 | defer r.Unlock() 637 | 638 | r.FakePodSandboxStats = make(map[string]*runtimeapi.PodSandboxStats) 639 | for _, s := range podStats { 640 | r.FakePodSandboxStats[s.Attributes.Id] = s 641 | } 642 | } 643 | 644 | // PodSandboxStats returns the sandbox stats in the FakeRuntimeService. 645 | func (r *FakeRuntimeService) PodSandboxStats(_ context.Context, podSandboxID string) (*runtimeapi.PodSandboxStats, error) { 646 | r.Lock() 647 | defer r.Unlock() 648 | 649 | r.Called = append(r.Called, "PodSandboxStats") 650 | if err := r.popError("PodSandboxStats"); err != nil { 651 | return nil, err 652 | } 653 | 654 | s, found := r.FakePodSandboxStats[podSandboxID] 655 | if !found { 656 | return nil, fmt.Errorf("no stats for pod sandbox %q", podSandboxID) 657 | } 658 | return s, nil 659 | } 660 | 661 | // ListPodSandboxStats returns the list of all pod sandbox stats given the filter in the FakeRuntimeService. 662 | func (r *FakeRuntimeService) ListPodSandboxStats(_ context.Context, filter *runtimeapi.PodSandboxStatsFilter) ([]*runtimeapi.PodSandboxStats, error) { 663 | r.Lock() 664 | defer r.Unlock() 665 | 666 | r.Called = append(r.Called, "ListPodSandboxStats") 667 | if err := r.popError("ListPodSandboxStats"); err != nil { 668 | return nil, err 669 | } 670 | 671 | var result []*runtimeapi.PodSandboxStats 672 | for _, sb := range r.Sandboxes { 673 | if filter != nil { 674 | if filter.Id != "" && filter.Id != sb.Id { 675 | continue 676 | } 677 | if filter.LabelSelector != nil && !filterInLabels(filter.LabelSelector, sb.GetLabels()) { 678 | continue 679 | } 680 | } 681 | s, found := r.FakePodSandboxStats[sb.Id] 682 | if !found { 683 | continue 684 | } 685 | result = append(result, s) 686 | } 687 | 688 | return result, nil 689 | } 690 | 691 | // ReopenContainerLog emulates call to the reopen container log in the FakeRuntimeService. 692 | func (r *FakeRuntimeService) ReopenContainerLog(_ context.Context, containerID string) error { 693 | r.Lock() 694 | defer r.Unlock() 695 | 696 | r.Called = append(r.Called, "ReopenContainerLog") 697 | 698 | if err := r.popError("ReopenContainerLog"); err != nil { 699 | return err 700 | } 701 | 702 | return nil 703 | } 704 | 705 | // CheckpointContainer emulates call to checkpoint a container in the FakeRuntimeService. 706 | func (r *FakeRuntimeService) CheckpointContainer(_ context.Context, options *runtimeapi.CheckpointContainerRequest) error { 707 | r.Lock() 708 | defer r.Unlock() 709 | 710 | r.Called = append(r.Called, "CheckpointContainer") 711 | 712 | if err := r.popError("CheckpointContainer"); err != nil { 713 | return err 714 | } 715 | 716 | return nil 717 | } 718 | 719 | func (f *FakeRuntimeService) GetContainerEvents(ctx context.Context, containerEventsCh chan *runtimeapi.ContainerEventResponse, connectionEstablishedCallback func(runtimeapi.RuntimeService_GetContainerEventsClient)) error { 720 | return nil 721 | } 722 | 723 | // SetFakeMetricDescriptors sets the fake metrics descriptors in the FakeRuntimeService. 724 | func (r *FakeRuntimeService) SetFakeMetricDescriptors(descs []*runtimeapi.MetricDescriptor) { 725 | r.Lock() 726 | defer r.Unlock() 727 | 728 | r.FakeMetricDescriptors = make(map[string]*runtimeapi.MetricDescriptor) 729 | for _, d := range descs { 730 | r.FakeMetricDescriptors[d.Name] = d 731 | } 732 | } 733 | 734 | // ListMetricDescriptors gets the descriptors for the metrics that will be returned in ListPodSandboxMetrics. 735 | func (r *FakeRuntimeService) ListMetricDescriptors(_ context.Context) ([]*runtimeapi.MetricDescriptor, error) { 736 | r.Lock() 737 | defer r.Unlock() 738 | 739 | r.Called = append(r.Called, "ListMetricDescriptors") 740 | if err := r.popError("ListMetricDescriptors"); err != nil { 741 | return nil, err 742 | } 743 | 744 | descs := make([]*runtimeapi.MetricDescriptor, 0, len(r.FakeMetricDescriptors)) 745 | for _, d := range r.FakeMetricDescriptors { 746 | descs = append(descs, d) 747 | } 748 | 749 | return descs, nil 750 | } 751 | 752 | // SetFakePodSandboxMetrics sets the fake pod sandbox metrics in the FakeRuntimeService. 753 | func (r *FakeRuntimeService) SetFakePodSandboxMetrics(podStats []*runtimeapi.PodSandboxMetrics) { 754 | r.Lock() 755 | defer r.Unlock() 756 | 757 | r.FakePodSandboxMetrics = make(map[string]*runtimeapi.PodSandboxMetrics) 758 | for _, s := range podStats { 759 | r.FakePodSandboxMetrics[s.PodSandboxId] = s 760 | } 761 | } 762 | 763 | // ListPodSandboxMetrics returns the list of all pod sandbox metrics in the FakeRuntimeService. 764 | func (r *FakeRuntimeService) ListPodSandboxMetrics(_ context.Context) ([]*runtimeapi.PodSandboxMetrics, error) { 765 | r.Lock() 766 | defer r.Unlock() 767 | 768 | r.Called = append(r.Called, "ListPodSandboxMetrics") 769 | if err := r.popError("ListPodSandboxMetrics"); err != nil { 770 | return nil, err 771 | } 772 | 773 | var result []*runtimeapi.PodSandboxMetrics 774 | for _, sb := range r.Sandboxes { 775 | s, found := r.FakePodSandboxMetrics[sb.Id] 776 | if !found { 777 | continue 778 | } 779 | result = append(result, s) 780 | } 781 | 782 | return result, nil 783 | } 784 | 785 | // RuntimeConfig returns runtime configuration of the FakeRuntimeService. 786 | func (r *FakeRuntimeService) RuntimeConfig(_ context.Context) (*runtimeapi.RuntimeConfigResponse, error) { 787 | r.Lock() 788 | defer r.Unlock() 789 | 790 | r.Called = append(r.Called, "RuntimeConfig") 791 | if err := r.popError("RuntimeConfig"); err != nil { 792 | return nil, err 793 | } 794 | 795 | return &runtimeapi.RuntimeConfigResponse{Linux: r.FakeLinuxConfiguration}, nil 796 | } 797 | 798 | // UpdatePodSandboxResources returns the container resource in the FakeRuntimeService. 799 | func (r *FakeRuntimeService) UpdatePodSandboxResources(context.Context, *runtimeapi.UpdatePodSandboxResourcesRequest) (*runtimeapi.UpdatePodSandboxResourcesResponse, error) { 800 | r.Lock() 801 | defer r.Unlock() 802 | 803 | r.Called = append(r.Called, "UpdatePodSandboxResources") 804 | if err := r.popError("UpdatePodSandboxResources"); err != nil { 805 | return nil, err 806 | } 807 | 808 | return &runtimeapi.UpdatePodSandboxResourcesResponse{}, nil 809 | } 810 | -------------------------------------------------------------------------------- /pkg/apis/testing/utils.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2016 The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package testing 18 | 19 | import ( 20 | "fmt" 21 | 22 | runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" 23 | ) 24 | 25 | // BuildContainerName creates a unique container name string. 26 | func BuildContainerName(metadata *runtimeapi.ContainerMetadata, sandboxID string) string { 27 | // include the sandbox ID to make the container ID unique. 28 | return fmt.Sprintf("%s_%s_%d", sandboxID, metadata.Name, metadata.Attempt) 29 | } 30 | 31 | // BuildSandboxName creates a unique sandbox name string. 32 | func BuildSandboxName(metadata *runtimeapi.PodSandboxMetadata) string { 33 | return fmt.Sprintf("%s_%s_%s_%d", metadata.Name, metadata.Namespace, metadata.Uid, metadata.Attempt) 34 | } 35 | 36 | func filterInLabels(filter, labels map[string]string) bool { 37 | for k, v := range filter { 38 | if value, ok := labels[k]; ok { 39 | if value != v { 40 | return false 41 | } 42 | } else { 43 | return false 44 | } 45 | } 46 | 47 | return true 48 | } 49 | -------------------------------------------------------------------------------- /pkg/errors/doc.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2020 The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | // Package errors provides helper functions for use by the kubelet 18 | // to deal with CRI errors. 19 | package errors 20 | -------------------------------------------------------------------------------- /pkg/errors/errors.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2020 The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package errors 18 | 19 | import ( 20 | "errors" 21 | 22 | "google.golang.org/grpc/codes" 23 | "google.golang.org/grpc/status" 24 | ) 25 | 26 | var ( 27 | // ErrRegistryUnavailable - Get http error on the PullImage RPC call. 28 | ErrRegistryUnavailable = errors.New("RegistryUnavailable") 29 | 30 | // ErrSignatureValidationFailed - Unable to validate the image signature on the PullImage RPC call. 31 | ErrSignatureValidationFailed = errors.New("SignatureValidationFailed") 32 | 33 | // ErrRROUnsupported - Unable to enforce recursive readonly mounts 34 | ErrRROUnsupported = errors.New("RROUnsupported") 35 | 36 | // ErrImageVolumeMountFailed - Unable to mount an image volume. 37 | ErrImageVolumeMountFailed = errors.New("ImageVolumeMountFailed") 38 | ) 39 | 40 | // IsNotFound returns a boolean indicating whether the error 41 | // is grpc not found error. 42 | // See https://github.com/grpc/grpc/blob/master/doc/statuscodes.md 43 | // for a list of grpc status codes. 44 | func IsNotFound(err error) bool { 45 | s, ok := status.FromError(err) 46 | if !ok { 47 | return ok 48 | } 49 | if s.Code() == codes.NotFound { 50 | return true 51 | } 52 | 53 | return false 54 | } 55 | -------------------------------------------------------------------------------- /pkg/errors/errors_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright 2020 The Kubernetes Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | package errors 18 | 19 | import ( 20 | "fmt" 21 | "testing" 22 | 23 | "google.golang.org/grpc/codes" 24 | "google.golang.org/grpc/status" 25 | ) 26 | 27 | func TestErrorIsNotFound(t *testing.T) { 28 | enf := status.Errorf(codes.NotFound, "container not found") 29 | if !IsNotFound(enf) { 30 | t.Errorf("%v expected to pass not found check", enf) 31 | } 32 | } 33 | 34 | func TestSimpleErrorDoesNotTriggerNotFound(t *testing.T) { 35 | err := fmt.Errorf("Some random error") 36 | if IsNotFound(err) { 37 | t.Errorf("%v unexpectedly passed not found check", err) 38 | } 39 | } 40 | 41 | func TestOtherGrpcErrorDoesNotTriggerNotFound(t *testing.T) { 42 | gerr := status.Errorf(codes.DeadlineExceeded, "timed out") 43 | if IsNotFound(gerr) { 44 | t.Errorf("%v unexpectedly passed not found check", gerr) 45 | } 46 | } 47 | --------------------------------------------------------------------------------